Proxy Concepts

Posted on | Edited on | In

I separate the content from original Envoy proxy blog to make it shorter. The original Envoy proxy was redacted to focus on Envoy concepts and demos.

General Proxy Related Concepts

Youtube Channel about proxy basics.

1. What is Proxy (Server).

A server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

2. What is Forward Proxy (Proxy) and Reverse Proxy.

  • Forward proxy: anonymity, caching, block unwanted sites, geofencing.
  • Reverse proxy: load balancing, ingress, caching, isolating internal traffic, logging, canary deployment.

A Forward proxy is a proxy connecting from private to public IP space (which was the original idea for a proxy) while a Reverse proxy connects from public to private IP space, e.g. mapping different web servers behind the proxy to a single, public IP.

How does forward proxy know the final destination? via the HOST header, start from HTTP/1.1. The ping will not pass HTTP proxy, it is a lower protocol L3. 也就是说,不是所有traffic都走的proxy. 你也可以设置哪些访问用proxy, 哪些不用。

Proxy can add additional header to tell server where is the originating IP: X-Forwarded-For header. Proxy is dedicated: HTTP proxy(for HTTP but can upgarde to support tunnel), SOCKS proxy(only for L4).

NOTE: Reverse proxy is not necessarily a load balancer. Load balancer is one form of reverse proxy types.

3. What is HTTP Tunnel

Well explained from WIKI.

The most common form of HTTP tunneling is the standardized HTTP CONNECT method.

In this mechanism, the client asks an HTTP proxy to forward the TCP connection to the desired destination. The proxy server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the proxy server continues to proxy the TCP stream to and from the client. Only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.

This mechanism is how a client behind an HTTP proxy can access websites using SSL or TLS (i.e. HTTPS). Proxy servers may also limit connections by only allowing connections to the default HTTPS port 443, whitelisting hosts, or blocking traffic which doesn’t appear to be SSL.

A proxy server that passes unmodified requests and responses is usually called a gateway or sometimes a tunneling proxy(From WIKI proxy server).

NOTE: More details please see my Envoy proxy demo in Github.

4. What is HTTP Proxy

HTTP proxy is the proxy server that speaks with HTTP protocal. It’s especially made for HTTP connections but can be abused for other protocols as well (which is kinda standard already).

The examples about using curl with HTTP proxy to do HTTP or HTTPS(through CONNECT method if the proxy support it!).

The -p(--proxytunnel) flag is not necessary for HTTPS, curl will ask tunnel for you, but if you want to explicitly tunneling for other protocols such as ftp, you need to specify this flag(Of course the proxy needs to support CONNECT method).

Also please be aware that, curl new version support HTTPS proxy that connect to proxy over ssl/tls(not tunnel, see curl man): -x https://<proxy-url>:<port>, otherwise -x <proxy-url>:<port> is default with http://.s

NOTE: More details please see my Envoy proxy demo in Github, especially how to use curl to do tunnel for other protocols.

5. Can Proxy & Reverse Proxy be Used in the Same Place?

Yes, for example, service mesh.

6. VPN vs Forward Proxy.

Proxy vs VPN, what’s the difference

Main differences:

  • VPN encrypt the traffic all the way, the proxy(socks, etc) not.
  • VPN for all traffic, proxy works on app level (specific app or browser).

7. L4 and L7 Reverse proxy.

L7 proxy works on layer 7, it will redirect the request after it completely received. Proxy check client request and reassemble new request to target server.

L4 proxy works on layer 4 (packet level), it will redirect the request packet immediately to target server (don’t wait all packets).

8. TLS termination proxy and TLS forward proxy.

TLS termination proxy:

1
2
3
           (proxy cert)
client <=================> proxy <------------------> servers
            https                        http

TLS forward proxy, it is not tunneling (对于tunnel的类型或许叫做Tunneling Proxy 更合适):

1
2
3
         (proxy cert)                  (server cert)
client <=================> proxy <==================> servers
            https                        https

9. SNI. SNI (Server Name Indication) is an extension to TLS that allows a client to specify which hostname it is attempting to connect to at the start of the TLS handshaking process. (Because one single virtual server may host several secure web sites, the HOST header is hidden in TLS.)

SNI sends host name in clear text, since it is in first hello message in handshake. ESNI is new proposal to encrypt SNI hello message.

Demo: launch 3 web sites in laptop: 127.0.0.1:8080, 127.0.0.1:8081, 127.0.0.1:8082 and a haproxy 0.0.0.0:80 (reverse proxy), configuring the router routes internet inbound traffic to haproxy to mimic situation in public cloud.

Then use noip create 3 different domain names, then assign route’s public IP to each domain name.

如果使用HTTP, 则虽然访问的domain 不一样,但背后的IP是一样的,根据haproxy内部的设置通过parse HOST header把流量转发到对应的web site上。

如果要使用HTTPS, 用certbot 生成3个certs, private keys 对应于3个web sites, 然后配置 haproxy使用SSL/TLS 和这些certs. 这时因为haproxy无法看到HOST head了,SNI才开始起作用 从而client (browser)能获取正确的cert。这里haproxy 应该是做了TLS termination.

这里Demo解释了当时envoy demo没看懂的地方,实际上就是更改了router的配置,所以才能用noip domain去访问private网站!

There is also Envoy sandbox for TLS SNI demo.

0%