Categorygithub.com/grepplabs/reverse-http
modulepackage
0.0.1
Repository: https://github.com/grepplabs/reverse-http.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
1
Dependents
0
Files
6 SLOC

# README

reverse-http

Build Status License Release

Reverse HTTP proxy over QUIC protocol (RFC 9000).

Architecture

Standalone

Architecture

  • Agent connection process

    • An agent initiates a connection to the proxy server utilizing the QUIC protocol.
      • The connection between the agent and the proxy is persistent
    • Upon connection, the proxy server performs an agent authentication
    • The proxy keeps track of agents' connections
      • Each agent is uniquely identified by an agentID
      • Multiple agents can simultaneously connect to the proxy.
      • Only one connection per agentID is allowed.

  • Client connection process

    • Clients establish a connection with the HTTP proxy by issuing an HTTP CONNECT request. This standard method allows the client to specify the desired destination.
    • During the connection process, the proxy authenticates the connecting client using basic Proxy-Authorization, where the username is utilized to specify the agentID that the client wishes to connect to.
    • Once authenticated, the proxy server locates the corresponding agent's QUIC connection that is already being tracked.
    • Proxy opens a new QUIC stream to the agent and sends all subsequent data through it
    • The agent proceeds with the CONNECT procedure by establishing a new TCP connection to the requested destination.

HA setup

HA

  • Agent connection process
    • An agent initiates a connection to the UDP load balancer, which in turn establishes a connection with one of the proxy servers
    • Upon establishing a connection, the proxy server records an entry in memcached for an agentID along with its own HTTP proxy address.
  • Client connection process
    • Clients connect to the TCP load balancer, which then establishes a connection with one of the LB servers.
    • Upon connection, the LB server retrieves the HTTP proxy address and an agentID from Memcached.
      • The LB server then sends an HTTP CONNECT request to the proxy.

Build

build binary

make clean build

Quick requirements

https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes

sudo bash -c 'echo net.core.rmem_max=2500000 >> /etc/sysctl.conf'
sudo bash -c 'echo net.core.wmem_max=2500000 >> /etc/sysctl.conf'
sudo sysctl -p

Local test standalone

no auth

make start-proxy
make start-agent
curl -x "http://4711:noauth@localhost:3128" https://httpbin.org/ip

jwt auth

make start-proxy-jwt
make start-agent-jwt
make curl-proxy-jwt

Local test docker-compose

make TEST_AUTH=noauth docker-compose.run
make TEST_AGENT_ID=4711 curl-proxy
make TEST_AGENT_ID=4712 curl-proxy

Whitelisting patterns

localhost
localhost:80
localhost:1000-2000
*.zone
*.zone:80
*.zone:1000-2000
127.0.0.1
127.0.0.1:80
127.0.0.1:1000-2000
10.0.0.1/8
10.0.0.1/8:80
10.0.0.1/8:1000-2000
1000::/16
1000::/16:80
1000::/16:1000-2000
[2001:db8::1]/64
[2001:db8::1]/64:80
[2001:db8::1]/64:1000-2000
2001:db8::1
[2001:db8::1]
[2001:db8::1]:80
[2001:db8::1]:1000-2000

# Packages

No description provided by the author
No description provided by the author
No description provided by the author