[Bug 65365] New: HTTP Tunneling (Forward Proxy) Support

Mon, 07 Jun 2021 08:59:50 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65365

            Bug ID: 65365
           Summary: HTTP Tunneling (Forward Proxy) Support
           Product: Tomcat 9
           Version: 9.0.26
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: fuweic...@gmail.com
  Target Milestone: -----

Created attachment 37893
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37893&action=edit
HTTP Tunneling messages

Currently Tomcat 9.0 rejects CONNECT request

> HTTP Status 400 รข Bad Request
> Message: Invalid URI
> Description: The server cannot or will not process the request due to 
> something that is perceived to be a client error (e.g., malformed request 
> syntax, invalid request message framing, or deceptive request routing).

Node.js "http" module supports CONNECT method natively.

Here are my thought to enable HTTP Tunneling capability.

Basic ideas:

1). Update HTTP/1.1 parser, to support request line like

```http
CONNECT example.com:443 HTTP/1.1
```
or
```http
OTHERMETHOD http://example.com/ HTTP/1.1
```

2). Update `HttpServletRequest#getRequestURI()` implementation, as commented

> Returns the part of this request's URL from the protocol name up to the query 
> string in the first line of the HTTP request

That means `getRequestURI()` may return raw URI value like
"http://example.com/";.

 "example.com:443"

3). A forward proxy SHOULD have the capability to abort connection of a
request. rather than responds 200, 400 or 500, since HTTP client don't know who
generates the HTTP response. respond with no response, if upstream server
cannot be reached.

For such reason, We need a mechanism to close HTTP connection before status
code sent to client. e.g. update `HttpServletResponse#setStatus()`, if status
was set to some value like 0 or -1. then at `HttpServletRequest#flushBuffer()`
or same phase, close underlying socket connection.

See similar question
https://stackoverflow.com/questions/3107631/how-to-close-a-http-connection-from-the-httpservlet


Security Consideration:

Apply above changes only when `allowTunneling="true"` configured in
`server.xml`

```xml
<Connector port="1080" protocol="HTTP/1.1" allowTunneling="true" />
```


Logging Consideration:
N/A

With above changes, Web Developers can write their own forward proxy based on
Tomcat and Servlet API.

See specification https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.6

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to