https://bz.apache.org/bugzilla/show_bug.cgi?id=65365
Bug ID: 65365
Summary: HTTP Tunneling (Forward Proxy) Support
Product: Tomcat 9
Version: 9.0.26
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
Created attachment 37893
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37893&action=edit
HTTP Tunneling messages
Currently Tomcat 9.0 rejects CONNECT request
> HTTP Status 400 รข Bad Request
> Message: Invalid URI
> Description: The server cannot or will not process the request due to
> something that is perceived to be a client error (e.g., malformed request
> syntax, invalid request message framing, or deceptive request routing).
Node.js "http" module supports CONNECT method natively.
Here are my thought to enable HTTP Tunneling capability.
Basic ideas:
1). Update HTTP/1.1 parser, to support request line like
```http
CONNECT example.com:443 HTTP/1.1
```
or
```http
OTHERMETHOD http://example.com/ HTTP/1.1
```
2). Update `HttpServletRequest#getRequestURI()` implementation, as commented
> Returns the part of this request's URL from the protocol name up to the query
> string in the first line of the HTTP request
That means `getRequestURI()` may return raw URI value like
"http://example.com/";.
"example.com:443"
3). A forward proxy SHOULD have the capability to abort connection of a
request. rather than responds 200, 400 or 500, since HTTP client don't know who
generates the HTTP response. respond with no response, if upstream server
cannot be reached.
For such reason, We need a mechanism to close HTTP connection before status
code sent to client. e.g. update `HttpServletResponse#setStatus()`, if status
was set to some value like 0 or -1. then at `HttpServletRequest#flushBuffer()`
or same phase, close underlying socket connection.
See similar question
https://stackoverflow.com/questions/3107631/how-to-close-a-http-connection-from-the-httpservlet
Security Consideration:
Apply above changes only when `allowTunneling="true"` configured in
`server.xml`
```xml
<Connector port="1080" protocol="HTTP/1.1" allowTunneling="true" />
```
Logging Consideration:
N/A
With above changes, Web Developers can write their own forward proxy based on
Tomcat and Servlet API.
See specification https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.6
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
