Add support for proxying HTTPS server connections on the client side

[ktoso]

Issue by sirthias
Monday Oct 27, 2014 at 15:52 GMT
Originally opened as akka/akka#16153

---

Required for one connection:

1. Establish plain-text connection to proxy
2. Send plain-text CONNECT target.host:443 HTTP/1.1 request to the proxy
3. Wait for 2xx response (afterwards all communication on the connection will be directly tunneled through to the target host)
4. Start SSL handshake, i.e. upgrade the connection to TLS/SSL
5. Send the actual requests, read actual responses

This feature should likely be implemented on the level of host-level client-side API as in most cases you'll want a managed connection pool to the proxy.

Some pointers:

• http://tools.ietf.org/html/rfc2817#section-5.2 (The other "upgrading a connection" parts of that RFC appear to be rarely used)
• http://stackoverflow.com/questions/6594604/connect-request-to-a-forward-http-proxy-over-an-ssl-connection/6594880#6594880

[ktoso]

Comment by sirthias
Monday Oct 27, 2014 at 15:55 GMT

---

/cc @jrudolph

[ktoso]

Comment by mackler
Tuesday Oct 28, 2014 at 19:41 GMT

---

+1

[ktoso]

Comment by mlenner
Monday Nov 03, 2014 at 15:03 GMT

---

+1

[ktoso]

Comment by salanki
Tuesday Mar 31, 2015 at 21:59 GMT

---

+1

[ktoso]

Comment by jkew
Tuesday Apr 07, 2015 at 22:21 GMT

---

+1

[ktoso]

Comment by rikardNL
Tuesday May 26, 2015 at 05:33 GMT

---

+1

[ktoso]

Comment by gonstr
Thursday May 28, 2015 at 11:47 GMT

---

+1

[ktoso]

Comment by bdwashbu
Wednesday Jul 15, 2015 at 15:01 GMT

---

+1

[ktoso]

Comment by ktoso
Wednesday Jul 15, 2015 at 21:10 GMT

---

Relates to akka/akka#17976

[ktoso]

Comment by nilsga
Tuesday Oct 27, 2015 at 07:52 GMT

---

+1

[ktoso]

Comment by carl297r
Thursday Nov 05, 2015 at 02:22 GMT

---

+1

[ktoso]

Comment by ktoso
Thursday Nov 12, 2015 at 00:41 GMT

---

Logging a "very big" +1 here, we may want to think how and when we could address this.

[ktoso]

Comment by ashugupt
Monday Dec 28, 2015 at 09:01 GMT

---

+1

[ktoso]

Comment by Madder
Monday Dec 28, 2015 at 13:56 GMT

---

+1

[ktoso]

Comment by mirelon
Thursday Feb 04, 2016 at 14:16 GMT

---

+1

[ktoso]

Comment by ktoso
Wednesday Feb 10, 2016 at 11:05 GMT

---

Logging another +1 (for my reference, sorry for the noise)

[ktoso]

Comment by andrasp3a
Wednesday Mar 30, 2016 at 09:43 GMT

---

+1

[ktoso]

Comment by rahulsinghai
Thursday Mar 31, 2016 at 15:44 GMT

---

+1

[ktoso]

Comment by mlangc
Wednesday Apr 20, 2016 at 07:27 GMT

---

+1

[ktoso]

Comment by lregnier
Friday Apr 29, 2016 at 14:49 GMT

---

+1

[ktoso]

Comment by douglaz
Wednesday Jun 29, 2016 at 14:43 GMT

---

+1000

[ktoso]

Comment by ktoso
Wednesday Jun 29, 2016 at 14:44 GMT

---

Akka team won't be able (time wise) to pick up this issue in the short-term, so we'd like to encourage you to try to contribute this feature, or contact us if you'd like sponsor its development.

[ktoso]

Comment by nanothermite
Wednesday Aug 24, 2016 at 17:46 GMT

---

+1

[ktoso]

Comment by greenhost87
Thursday Sep 01, 2016 at 20:43 GMT

---

+1

[ktoso]

Comment by nemccarthy
Thursday Sep 08, 2016 at 02:07 GMT

---

+1

[ktoso]

Comment by Yeitijem
Thursday Sep 08, 2016 at 12:50 GMT

---

+1

[hensg]

+1

[jesinity]

+1

[kstokoz]

+1

[rklaehn]

Any update on this? Every single corporate firewall on the planet requires you to connect to the outside world via an https proxy, so not having this makes the akka-http client functionality pretty much useless.

[mcamou]

+1

[johanandren]

Note that a PR is worth more than a million +1s. (Also please use the reaction button instead of spamming this ticket with +1 comments, thanks!)

[alvarow]

+1, but if the +1 is not enough to express interest, I can always write: PLEASE FIX THIS, I AM INTERESTED IN SEEING THIS FIXED.

[note]

I was playing around this issue and managed to complete HTTPS request via proxy. Here is my code: https://github.com/akka/akka-http/compare/master...note:192-https-proxy?expand=1. It's not ready to be a PR, there is still a lot of work to do, I am mostly sharing it for early validation. So the solution boils down to having additional GraphStage (I called it ProxyGraphStage) between tlsStage and transportFlow. Its only goal is to send CONNECT, wait for OK answer and then simply forward all messages untouched. In future there should be correct error handling and so on. @jrudolph Does such approach makes sense? If it makes sense I will work further on this and prepare a PR.

[jrudolph]

Great work, @note for taking a stab at it. I just opened another PR yesterday which could be used as groundwork for it: it allows to redefine the transport the pool (or a single client connection) uses to access a host. The only predefined transport so far would be the existing TCP transport. Your HTTPS proxy support could be an HttpsProxyTransport, then we could have a SOCKS transport etc.

The basic change you would need to do is to include your underlying TCP connection to the HTTPS proxy into your code. Apart from that no changes to the existing http-core infrastructure would be necessary. WDYT?

It certainly looks promising, so please open a PR. I'll try to merge my PR this week so you can rebase on top of that.

[ktoso]

For reference, the pluggable transport PR #917

[note]

@jrudolph Thanks for your feedback, your PR seems very helpful - with that I think there's a great chance I will be able to implement Https proxy without touching Http.scala at all. Will continue to work on this at latest on Monday.

[jrudolph]

Great, thanks, @note. We (and lots of other people) are looking forward to it.