https://bz.apache.org/bugzilla/show_bug.cgi?id=66592
--- Comment #4 from radhika.j...@veritas.com <radhika.j...@veritas.com> ---
Hi Mark, Thanks for your response.
Here is some of my understanding and thoughts.
What is the use case for using proxying over TLS vs just using a direct TLS
connection?
>> So some of our Customers (websocket clients) have to connect to the
>> websocket server endpoint hosted in the Cloud. Some of the enterprise
>> customers may engage a HTTPS proxy server in their IT infra which they
>> cannot bypass, the connections have to be established via this Proxy
>> Servers. Such customers are getting blocked in leveraging our services in
>> cloud.
If we do implement this (and it is still a big if at this stage in my view)
would a custom user property such as "USE_SECURE_PROXY" be sufficient to meet
the requirement? The idea being that you'd configure the http/https proxies as
normal in Java and then, depending on this flag, Tomcat would connect to the
proxy over a clear channel or TLS.
>> In my understanding, the https_proxy system property in java is meant only
>> to support HTTPS protocol through the proxy server. This is not actually a
>> secure Proxy server. So not sure if it can function as expected. From the
>> websocket client code, i understand that tomcat is only leveraging the java
>> http_proxy/https_proxy configuration only to pass the Proxy server host and
>> port information to the websocket client library, because ultimately a
>> socket connection with the Proxy server host and port gets established and
>> then we send the HTTP "Connect" Request to the Proxy server to create the
>> proxy Tunnel over which https requests/response between client and server
>> gets exchanged. The proxy server is no longer intercepting any of the data
>> flow. These lines in the code.
======
private static ByteBuffer createProxyRequest(String host, int port, String
authorizationHeader) {
StringBuilder request = new StringBuilder();
request.append("CONNECT ");
request.append(host);
request.append(':');
request.append(port);
request.append(" HTTP/1.1\r\nProxy-Connection:
keep-alive\r\nConnection: keepalive\r\nHost: ");
request.append(host);
request.append(':');
request.append(port);
if (authorizationHeader != null) {
request.append("\r\n");
request.append(Constants.PROXY_AUTHORIZATION_HEADER_NAME);
request.append(':');
request.append(authorizationHeader);
}
request.append("\r\n\r\n");
byte[] bytes =
request.toString().getBytes(StandardCharsets.ISO_8859_1);
return ByteBuffer.wrap(bytes);
}
// If sa is null, no proxy is configured so need to create sa
if (sa == null) {
sa = new InetSocketAddress(host, port);
} else {
proxyConnect = createProxyRequest(host, port,
(String)
userProperties.get(Constants.PROXY_AUTHORIZATION_HEADER_NAME));
}
...........
// Proxy CONNECT is clear text
channel = new AsyncChannelWrapperNonSecure(socketChannel);
writeRequest(channel, proxyConnect, timeout);
HttpResponse httpResponse = processResponse(response, channel,
timeout);
======
Yes i understand java dosent have any support for a TLS terminating secure
proxy server.
I think, beyond setting the https_proxy server, there will be need to have to
do a SSL/TLS handshake with secure proxy server in the websocket client library
connecting code. the SSLContext to connect to proxy server will be needed too.
config.getUserProperties().put("org.apache.tomcat.websocket.PROXY_SSL_CONTEXT",
proxySSLContext);
Secure Proxy Server may not need the CONNECT method call so far from what i
understood as there is no Tunnel which gets established due to HTTP CONNECT
request.
I am doubting how the upgrade request for websocket protocol will function when
secure proxy server is in between.
Need some investigation on that aspect, i am not too sure how it functions
internally.
Reference from Apache HTTPClient router used during the connection could bring
more insight.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
