You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Roland Weber <os...@dubioso.net> on 2007/05/26 21:15:37 UTC
[HttpConn] proxy chains
Hi all,
I'm collecting my ideas on proxy chains. Please
take a brief look and give me a reality check.
The purpose of a proxy chain is to get through
more than one firewall. The client connects to
proxy1, proxy1 connects to proxy2,... and the
last proxy connects to the server.
For proxies 1...n-1, the connection needs to be
tunnelled, meaning that a CONNECT request is
sent and the proxy afterwards does not interpret
the transferred data anymore. The last proxy in
the chain can operate without a tunnel (unless
HTTPS is used of course), as if the client had
connected directly to it.
If HTTPS is to be used, all proxies need to be
tunnelled one after another, and finally an SSL
socket is layered over the end-to-end tunnel.
Does that make sense?
Do I miss important use cases?
Would anybody want to layer SSL between client
and one of the proxies rather than end-to-end?
thanks,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] proxy chains - complete for now
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2007-05-28 at 20:03 +0200, Roland Weber wrote:
> Hi Oleg,
>
> > Great! Could you please hold off any other major refactoring jobs until
> > post ALPHA1 time frame, though?
>
> Proxy chains and param defaults were the only things on
> my list for client alpha 1. I hope I can scale back my
> efforts again. The baseline remains at one or two hours
> a week for HttpConn tests. It's been a bit more lately.
>
> > I would like to complete all outstanding
> > tasks targeted for HttpCore 4.0-beta5 by mid June and release HttpClient
> > 4.0-alpha1 shortly after.
>
> Are you going to release the two alphas simultaneously,
> or do you want to give the core release a head start?
>
I would like to have them released pretty much simultaneously.
HttpClient ALPHA1 is the only reason to rush HttpCore ALPHA5
Oleg
> cheers,
> Roland
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] proxy chains - complete for now
Posted by Roland Weber <os...@dubioso.net>.
Hi Oleg,
> Great! Could you please hold off any other major refactoring jobs until
> post ALPHA1 time frame, though?
Proxy chains and param defaults were the only things on
my list for client alpha 1. I hope I can scale back my
efforts again. The baseline remains at one or two hours
a week for HttpConn tests. It's been a bit more lately.
> I would like to complete all outstanding
> tasks targeted for HttpCore 4.0-beta5 by mid June and release HttpClient
> 4.0-alpha1 shortly after.
Are you going to release the two alphas simultaneously,
or do you want to give the core release a head start?
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] proxy chains - complete for now
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2007-05-28 at 13:17 +0200, Roland Weber wrote:
> Hi all,
>
> I've added proxy chain support to HttpRoute, RouteTracker,
> and RouteDirector based on the recently posted assumptions.
> That does _not_ mean we have support for proxy chains in
> HttpClient now.
>
> ThreadSafeClientConnManager can not handle proxy chains,
> as routes with a proxy chain can not be converted to the
> deprecated HostConfiguration. This problem will eventually
> be solved when we rework the connection manager.
>
> ManagedClientConnection can not handle proxy chains, as
> it's API allows tunnelling only to the target host, not
> to a proxy. I will consider fixing this at some time,
> but not for client alpha 1. This can not be reasonably
> implemented until TSCCM is free of HostConfiguration.
>
Hi Roland
Great! Could you please hold off any other major refactoring jobs until
post ALPHA1 time frame, though? I would like to complete all outstanding
tasks targeted for HttpCore 4.0-beta5 by mid June and release HttpClient
4.0-alpha1 shortly after.
> DefaultClientRequestDirector can not handle proxy chains,
> as it depends on ManagedClientConnection. Once TSCCM and
> MCC are updated, changing DCRD is painless.
>
> The new functionality in HttpRoute and friends _can_ be
> used in applications based on OperatedClientConnection.
>
>
> I've tried to run the examples ClientExecuteDirect and
> ClientExecuteProxy. The latter obtained a status 400,
> and my proxy log shows:
> client sent HTTP/1.1 request without hostname
> This may be a problem in DefaultClientRequestDirector
> when building the CONNECT request. If still necessary
> by then, I'll investigate next week-end.
>
Fixed.
Oleg
> cheers,
> Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] proxy chains - complete for now
Posted by Roland Weber <os...@dubioso.net>.
Hi all,
I've added proxy chain support to HttpRoute, RouteTracker,
and RouteDirector based on the recently posted assumptions.
That does _not_ mean we have support for proxy chains in
HttpClient now.
ThreadSafeClientConnManager can not handle proxy chains,
as routes with a proxy chain can not be converted to the
deprecated HostConfiguration. This problem will eventually
be solved when we rework the connection manager.
ManagedClientConnection can not handle proxy chains, as
it's API allows tunnelling only to the target host, not
to a proxy. I will consider fixing this at some time,
but not for client alpha 1. This can not be reasonably
implemented until TSCCM is free of HostConfiguration.
DefaultClientRequestDirector can not handle proxy chains,
as it depends on ManagedClientConnection. Once TSCCM and
MCC are updated, changing DCRD is painless.
The new functionality in HttpRoute and friends _can_ be
used in applications based on OperatedClientConnection.
I've tried to run the examples ClientExecuteDirect and
ClientExecuteProxy. The latter obtained a status 400,
and my proxy log shows:
client sent HTTP/1.1 request without hostname
This may be a problem in DefaultClientRequestDirector
when building the CONNECT request. If still necessary
by then, I'll investigate next week-end.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] proxy chains
Posted by Roland Weber <os...@dubioso.net>.
Hi Oleg,
> Here's my take on the matter. Proxy chaining is only relevant for large
> corporations with complex security requirements and regulations.
I agree.
> Those
> people can usually afford to task a software engineer or two with
> writing a custom component to meet their specific requirements. You
> probably should not spend your time writing and testing all this
> non-trivial code (unless you feel like doing so, of course).
Surely not testing it (extensively).
> Support for
> proxy chaining should probably donated to the project by an external
> (most likely commercial) entity. All we have to ensure is that HttpRoute
> is flexible enough to represent a chain of proxies. That's it.
As discussed a few weeks ago, I don't want to open up HttpRoute
for custom extensions. So I'm looking for a way to represent
proxy chains in it by default. This affects the behavior and
therefore the description of some of the existing methods, that's
why I wanted to check back before starting to hack.
RouteTracker needs to be kept in sync with HttpRoute. We could
leave the RouteDirector without proxy chain support. I don't
think it's much effort to add it, as long as all proxies are
plain HTTP, and only the last one operates without a tunnel.
If I should be wrong in that point, I'll stop right there. The
RouteDirector is open for extension, so layering of sockets to
proxies rather than end-to-end is definitely a customization.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] proxy chains
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Sat, 2007-05-26 at 21:15 +0200, Roland Weber wrote:
> Hi all,
>
> I'm collecting my ideas on proxy chains. Please
> take a brief look and give me a reality check.
>
> The purpose of a proxy chain is to get through
> more than one firewall. The client connects to
> proxy1, proxy1 connects to proxy2,... and the
> last proxy connects to the server.
> For proxies 1...n-1, the connection needs to be
> tunnelled, meaning that a CONNECT request is
> sent and the proxy afterwards does not interpret
> the transferred data anymore. The last proxy in
> the chain can operate without a tunnel (unless
> HTTPS is used of course), as if the client had
> connected directly to it.
> If HTTPS is to be used, all proxies need to be
> tunnelled one after another, and finally an SSL
> socket is layered over the end-to-end tunnel.
>
> Does that make sense?
> Do I miss important use cases?
> Would anybody want to layer SSL between client
> and one of the proxies rather than end-to-end?
>
Roland
Here's my take on the matter. Proxy chaining is only relevant for large
corporations with complex security requirements and regulations. Those
people can usually afford to task a software engineer or two with
writing a custom component to meet their specific requirements. You
probably should not spend your time writing and testing all this
non-trivial code (unless you feel like doing so, of course). Support for
proxy chaining should probably donated to the project by an external
(most likely commercial) entity. All we have to ensure is that HttpRoute
is flexible enough to represent a chain of proxies. That's it.
Oleg
> thanks,
> Roland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org