[Feature] [Discuss] Support HTTP connect tunnel

[Kwanhur Huang <hu...@163.com>]

hi, the community

Within some datacenter, access internet web sites(HTTPS) from intranet, it needs to make the SSL tunnel request[1] with http connect method[2].

Like one datacenter plan security zones with DMZ[3] SF PTR, web servers place in DMZ and they can access internet but not the SF and PTR.
If web servers in SF access internet, they need the transparent proxy through DMZ via HTTP CONNECT tunnel.

Nginx and OpenResty can supported with nix_http_proxy_connect_module[4]. 

If Apache APISIX integrate with this module or the similar, so we can make it as transparent proxy server.

Hopefully hear your voice.



[1] https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling
[2] https://tools.ietf.org/html/rfc7231#section-4.3.6 <https://tools.ietf.org/html/rfc7231#section-4.3.6>
[3] https://en.wikipedia.org/wiki/DMZ_(computing)
[4] https://github.com/chobits/ngx_http_proxy_connect_module


Kwanhur Huang
TL;DR

Re: [Feature] [Discuss] Support HTTP connect tunnel

[shirui zhao <zh...@gmail.com>]

Agree with @spacewander.

> 2022年5月16日 11:33，Zexuan Luo <sp...@apache.org> 写道：
> 
> It looks like it is the duty of forward proxy but not of API gateway?
> We should focus on a few areas instead of acting as general proxy.
> 
> tzssangglass <tz...@apache.org> 于2022年5月16日周一 11:26写道：
>> 
>> Does this need to be supported by APISIX in code? Or is it just a matter
>> of adding new modules when compiling apisix-base?
>> 
>> *ZhengSong Tu*
>> My GitHub: https://github.com/tzssangglass
>> Apache APISIX: https://github.com/apache/apisix
>> 
>> *ZhengSong Tu*
>> My GitHub: https://github.com/tzssangglass
>> Apache APISIX: https://github.com/apache/apisix
>> 
>> 
>> 在 2022年5月14日 10:18:04 上，Kwanhur Huang <hu...@163.com> 写道：
>> 
>>> hi, the community
>>> 
>>> Within some datacenter, access internet web sites(HTTPS) from intranet, it
>>> needs to make the SSL tunnel request[1] with http connect method[2].
>>> 
>>> Like one datacenter plan security zones with DMZ[3] SF PTR, web servers
>>> place in DMZ and they can access internet but not the SF and PTR.
>>> If web servers in SF access internet, they need the transparent proxy
>>> through DMZ via HTTP CONNECT tunnel.
>>> 
>>> Nginx and OpenResty can supported with nix_http_proxy_connect_module[4].
>>> 
>>> If Apache APISIX integrate with this module or the similar, so we can make
>>> it as transparent proxy server.
>>> 
>>> Hopefully hear your voice.
>>> 
>>> 
>>> 
>>> [1] https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling
>>> [2] https://tools.ietf.org/html/rfc7231#section-4.3.6 <
>>> https://tools.ietf.org/html/rfc7231#section-4.3.6>
>>> [3] https://en.wikipedia.org/wiki/DMZ_(computing)
>>> [4] https://github.com/chobits/ngx_http_proxy_connect_module
>>> 
>>> 
>>> Kwanhur Huang
>>> TL;DR
>>> 
>>> 

Re: [Feature] [Discuss] Support HTTP connect tunnel

[Zexuan Luo <sp...@apache.org>]

It looks like it is the duty of forward proxy but not of API gateway?
We should focus on a few areas instead of acting as general proxy.

tzssangglass <tz...@apache.org> 于2022年5月16日周一 11:26写道：
>
>  Does this need to be supported by APISIX in code? Or is it just a matter
> of adding new modules when compiling apisix-base?
>
> *ZhengSong Tu*
> My GitHub: https://github.com/tzssangglass
> Apache APISIX: https://github.com/apache/apisix
>
> *ZhengSong Tu*
> My GitHub: https://github.com/tzssangglass
> Apache APISIX: https://github.com/apache/apisix
>
>
> 在 2022年5月14日 10:18:04 上，Kwanhur Huang <hu...@163.com> 写道：
>
> > hi, the community
> >
> > Within some datacenter, access internet web sites(HTTPS) from intranet, it
> > needs to make the SSL tunnel request[1] with http connect method[2].
> >
> > Like one datacenter plan security zones with DMZ[3] SF PTR, web servers
> > place in DMZ and they can access internet but not the SF and PTR.
> > If web servers in SF access internet, they need the transparent proxy
> > through DMZ via HTTP CONNECT tunnel.
> >
> > Nginx and OpenResty can supported with nix_http_proxy_connect_module[4].
> >
> > If Apache APISIX integrate with this module or the similar, so we can make
> > it as transparent proxy server.
> >
> > Hopefully hear your voice.
> >
> >
> >
> > [1] https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling
> > [2] https://tools.ietf.org/html/rfc7231#section-4.3.6 <
> > https://tools.ietf.org/html/rfc7231#section-4.3.6>
> > [3] https://en.wikipedia.org/wiki/DMZ_(computing)
> > [4] https://github.com/chobits/ngx_http_proxy_connect_module
> >
> >
> > Kwanhur Huang
> > TL;DR
> >
> >

Re: [Feature] [Discuss] Support HTTP connect tunnel

[tzssangglass <tz...@apache.org>]

 Does this need to be supported by APISIX in code? Or is it just a matter
of adding new modules when compiling apisix-base?

*ZhengSong Tu*
My GitHub: https://github.com/tzssangglass
Apache APISIX: https://github.com/apache/apisix

*ZhengSong Tu*
My GitHub: https://github.com/tzssangglass
Apache APISIX: https://github.com/apache/apisix


在 2022年5月14日 10:18:04 上，Kwanhur Huang <hu...@163.com> 写道：

> hi, the community
>
> Within some datacenter, access internet web sites(HTTPS) from intranet, it
> needs to make the SSL tunnel request[1] with http connect method[2].
>
> Like one datacenter plan security zones with DMZ[3] SF PTR, web servers
> place in DMZ and they can access internet but not the SF and PTR.
> If web servers in SF access internet, they need the transparent proxy
> through DMZ via HTTP CONNECT tunnel.
>
> Nginx and OpenResty can supported with nix_http_proxy_connect_module[4].
>
> If Apache APISIX integrate with this module or the similar, so we can make
> it as transparent proxy server.
>
> Hopefully hear your voice.
>
>
>
> [1] https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling
> [2] https://tools.ietf.org/html/rfc7231#section-4.3.6 <
> https://tools.ietf.org/html/rfc7231#section-4.3.6>
> [3] https://en.wikipedia.org/wiki/DMZ_(computing)
> [4] https://github.com/chobits/ngx_http_proxy_connect_module
>
>
> Kwanhur Huang
> TL;DR
>
>