0

I have an application that needs to use a proxy (call it proxy1) to access some https endpoints outside of its network. The application doesn't support proxy settings, so I'd like to provide it a reverse proxy url, and I would prefer not to provide tls certs for proxy1, so I would use http for application -> proxy1.

I don't have access to the application host or forward proxy mentioned below, so I cannot configure networking there.

The endpoints the application needs are https, so proxy1 must make its outbound connections via https.

Finally, this whole setup is within a corporate network that requires a forward proxy (call it proxy2) for outbound internet, so my proxy1 needs to chain to proxy2 / use it as a parent.

I tried squid and it worked well for http only, but I couldn't get it to accept http inbound while using https outbound. Squid easily supported the parent proxy2.

I tried haproxy, but had the same result as with squid.

I tried nginx and it did what I wanted with http -> proxy -> https, but doesn't support a parent proxy. I considered setting up socat as in this answer, or using proxy_pass and proxy_set_header as in this answer, but I can't shake the feeling there's a cleaner way to achieve the requirements.

This doesn't seem like an outlandish setup, is it? Or is there a preferred approach for it? Ideally one using squid or nginx.

Joel
  • 2,217
  • 5
  • 34
  • 45

1 Answers1

2

You can achive this without the complexity by using a port forwarder like socat. Just install it on a host to do the forwarding (or locally on the app server if you wish to) and create a listener that forwards connections through the proxy server. Then on your application host use a local name resolution overide to map the FQDN to the forwarder.

So, the final config should be the app server using a URI that points to the forwarding server (using its address if no name resolution excists), which has a socat listener that points to the the corporate proxy. No reverse proxy required.

socat TCP4-LISTEN:443,reuseaddr,fork \
PROXY:{proxy_address}:{endpoint_fqdn}:443,proxyport={proxy_port}

Just update with your parameters.

Buffoonism
  • 1,669
  • 11
  • 11
  • Thanks - I don't have access to the application host at all, and can only provide the application a host url for the endpoints it uses. Could I achieve the same thing with socat on the reverse proxy server instead, sending outgoing traffic to the forward proxy? – Joel Aug 10 '22 at 15:34
  • 1
    You might be able to do this by using the address of the forwarding server in the app server URI. – Buffoonism Aug 10 '22 at 15:41
  • Thanks for the update - I edited my question again. Unfortunately I don't have access to the forwarding server either, this solution has to be contained to a single container between the two. – Joel Aug 12 '22 at 12:21
  • 1
    Hmm, I guess something is getting lost in translation somewhere then. So you have an existing corp proxy, and an existing app server. What I've suggested is putting a single new server between them (the forwarding server), and this just needs to run socat (no reverse proxy etc). Does that not address your question? – Buffoonism Aug 12 '22 at 12:35
  • I see! Sorry, I was confused about what the "forwarding server" was in this case. I will give this a shot, thank you. Would you consider using socat like this (wrapped with some logging, resilience etc) a good solution for potentially high-scale traffic? – Joel Aug 12 '22 at 14:47
  • De nada! Yes, this should work fine for coping with a reasonable volume (all it is doing is receiving and the sending packets on). – Buffoonism Aug 12 '22 at 16:02