You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Stojce Dimski <sd...@yahoo.it> on 2007/01/20 18:40:52 UTC
http-core proxy server
Hi Oleg, Roland and other submitters. I would like to ask some advice
about http-core.
For my current project I need to build a http/s proxy server with
following requirements
1) after serving the request need full read-only access to
request/response (status,header,content)
2) make it work trough ssl but would have to 'see' the request/response
'in clear'
If I use 'NHttpServer.java' of 'module-nio' as a starting point and
modify the 'service' method to proxy the request to the destination, do
you think is a right direction ?
Is it possible to implement also ssl part this way so that for proxy is
transparent ?
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: http-core proxy server
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Sat, 2007-01-20 at 18:40 +0100, Stojce Dimski wrote:
> Hi Oleg, Roland and other submitters. I would like to ask some advice
> about http-core.
> For my current project I need to build a http/s proxy server with
> following requirements
> 1) after serving the request need full read-only access to
> request/response (status,header,content)
> 2) make it work trough ssl but would have to 'see' the request/response
> 'in clear'
Hi Stojce,
If the proxy proxy is intended to transparently tunnel client SSL
connections, the proxy will not be able to 'see' the content of
requests. If, however, the clients connect to the proxy using plain
HTTP, the proxy will be able to see the message content.
>
> If I use 'NHttpServer.java' of 'module-nio' as a starting point and
> modify the 'service' method to proxy the request to the destination, do
> you think is a right direction ?
> Is it possible to implement also ssl part this way so that for proxy is
> transparent ?
>
HttpCore NIO presently does not support SSL. I am currently in the
process of adding SSL support, see HTTPCORE-26 [1].
I would recommend starting with the blocking I/O (HttpCore proper) at
first and move onto HttpCore NIO only if you really find yourself having
to deal with thousands of simultaneous connections.
Hope this helps
Oleg
[1] https://issues.apache.org/jira/browse/HTTPCORE-26
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: http-core proxy server
Posted by Roland Weber <ht...@dubioso.net>.
[unedited from my drafts folder...]
Hello Stojce,
> 1) after serving the request need full read-only access to
> request/response (status,header,content)
It's no problem to make a deep copy of the request and response
objects with request/status line and headers. Content needs to
be buffered, so if you've got the memory or a fast external
storage to keep the copies...
> 2) make it work trough ssl but would have to 'see' the request/response
> 'in clear'
That's called a man-in-the-middle attack. If you and the users
of your proxy don't care about security, it can be done. The
proxy has to intercept/buffer CONNECT requests, which precede
the SSL handshake. Then the proxy provides the SSL server socket,
which would normally be done by the target server. Of course the
proxy doesn't have the target server certificate, it has to use
a self-signed certificate. Your users have to import/accept that
proxy certificate. It will be tricky to manage the different
SSL connections your proxy will have to maintain with the target
servers for the different users. If SSL with client authentication
is used, you're finally out of luck.
> If I use 'NHttpServer.java' of 'module-nio' as a starting point and
> modify the 'service' method to proxy the request to the destination, do
> you think is a right direction ?
I can't tell you about NIO. Modifying a default server implementation
is the right way to go. Make sure you know about the different headers
that have to be modified, must not be modified, or must not be forwarded
by a proxy. Even a transparent, non-caching proxy is pretty tricky.
> Is it possible to implement also ssl part this way so that for proxy is
> transparent ?
With the exception of the certificate, see above. If it was possible
to intercept TLS/SSL communication transparently, a bunch of security
experts would be jumping left, right and center to fix the hole.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: http-core proxy server
Posted by Roland Weber <ht...@dubioso.net>.
Hello Stojce,
> 2) make it work trough ssl but would have to 'see' the request/response
> 'in clear'
Before I answer this question, would you please explain the purpose
of your project? You see, TLS/SSL connections are there for a reason:
they are used for *secure* communication of *confidential* data.
cheers,
Roland
PS: Years ago, somebody asked on the OpenCard mailing list whether
he could use the software to copy SIM cards for mobile phones...
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org