[web-devel] http-enumerator connecting via a http proxy

Michael Snoyman michael at snoyman.com
Mon May 16 20:50:56 CEST 2011


On Sat, May 14, 2011 at 2:55 PM, Erik de Castro Lopo
<mle+hs at mega-nerd.com>wrote:

> Michael Snoyman wrote:
>
> > > I've implemented  four functions;  proxyHttp, proxyHttpLbs,
> > > proxyHttpRedirect and proxyHttpLbsRedirect but it occurs
> > > to me that if we added a field of type 'Maybe Proxy' to the
> > > 'Request m' data type, the fucntionality of the four functions
> > > I have hacked up could be merged with the original versions
> > > of these.
> > >
> > > Does that sound like a sane approach?
> >
> > Yes, I think that sounds good. Just let me know when I should look at the
> > code; I'm impressed how quickly you're getting this done!
>
> Ok, I've submitted a github pull request that modifies the
> existing http function to proxy HTTP requests. This was a
> relatively simple matter of modifying hosts, ports, and
> headers.
>
> I'm now looking at doing HTTPS and I'm a little lost on how
> to proceed. Basically proxying of HTTPS works as follows:
>
>  a) Wants to connect to https://encrypted.google.com/
>    via HTTP proxy called squid listening on port 3128.
>
>  b) Client opens an un-encrypted connection to squid:3128
>    and sends a request:
>
>        CONNECT encrypted.google.com:443 HTTP/1.1
>
>  c) Squid proxy connects to encrypted.google.com port 443
>    and gets back a response of:
>
>        HTTP/1.1 200 Connection established
>
>     which it sends the client.
>
>  d) The squid proxy then blindly transfers bytes from the client
>    to encrypted.google.com and bytes from encrypted.google.com
>    to the client.
>
>  e) The client does TLS negotiation over the bi-directional pipe
>    established and maintained by the proxy.
>
> I can send the CONNECT and get back the HTTP 200 OK, but I'm
> not sure how to proceed.
>
> Clues?
>
>
> Hmm... this *does* seem problematic. If I understand correctly, we need to
first accept unencrypted data over the socket, and then encrypted. The first
thing (and probably least important) that jumps out to me is that we
probably need to reconsider how we use the manager for proxied connections.
The more serious concern is that the TLS package uses Handles under the
surface, while http-enumerator uses Sockets for non-SSL connections.

If I were to take a stab at the best approach, it would be to modify
withSslConn to (optionally) read in the HTTP response line from the proxy
before handing control off to TLS. I'm not sure I entirely understand the
issue, but does that seem like a plausible approach?

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/web-devel/attachments/20110516/ff871fb8/attachment.htm>


More information about the web-devel mailing list