-
Notifications
You must be signed in to change notification settings - Fork 1
/
l4r.en.html
299 lines (275 loc) · 15.9 KB
/
l4r.en.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />
<title>Layer 4 Proxying — AMC Traffic Server Documentation</title>
<link rel="stylesheet" type="text/css" href="_static/pygments.css" />
<link rel="stylesheet" type="text/css" href="_static/sphinxdoc.css" />
<link rel="stylesheet" type="text/css" href="_static/graphviz.css" />
<script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/doctools.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Plugin Coordination" href="plugin-coordination.en.html" />
<link rel="prev" title="Body Factory Refactoring" href="body-factory.en.html" />
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="plugin-coordination.en.html" title="Plugin Coordination"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="body-factory.en.html" title="Body Factory Refactoring"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">SWOC Docs</a> »</li>
<li class="nav-item nav-item-1"><a href="ats-projects.en.html" accesskey="U">Traffic Server Projects</a> »</li>
<li class="nav-item nav-item-this"><a href="">Layer 4 Proxying</a></li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="layer-4-proxying">
<h1>Layer 4 Proxying<a class="headerlink" href="#layer-4-proxying" title="Permalink to this headline">¶</a></h1>
<p>Layer 4 proxying is proxying connections at the layer 3 or 4 level, that is at the TCP or TLS layer. This is distinct from routing in that the connections are terminated at layer 3 in Traffic Server, not by routing IP packets over the same TCP connection.</p>
<p>There are two primary reasons to use layer 4 proxying.</p>
<ul class="simple">
<li><p>Control of the properties, particularly TLS properties, of the connection between the client and the server.</p></li>
<li><p>De facto routing of client to server connections without modification of client or server. This differs from layer 3 routing in that it applies to specific clients and servers, not packets on the network in general.</p></li>
</ul>
<p>The distinguishing characteristic in both use case is how the connections are made. This becomes more complex in the case of TLS connections and where the TLS connections are terminated, which are not necessarily the same places as the TCP connections. Because the client drives the properties of the connection we can consider the connection properties from the client point of view. The two basic cases are</p>
<dl class="simple">
<dt>Direct connection</dt><dd><p>The client connects directly to the server.
To proxy a direction connection the client must send its packets to the proxy. This can be done by adjusting DNS resolution or by adjusting the networking infrastructure must be such that packets that go between the client and the server go through the proxy. In either case the proxy must be able to able to connect to the server or at least the next upstream proxy on the way to the server based on data available in the client connection.</p>
</dd>
<dt>Explict Proxy</dt><dd><p>The client connects to a known proxy and then uses the <code class="docutils literal notranslate"><span class="pre">CONNECT</span></code> method to forward the connection to the server. Adding additional proxy support will require making the client connect to a different proxy, either by configuring it to do so or by adjusting DNS resolution.</p>
</dd>
</dl>
<p>For either case the outbound connection from the client can be a “local” or “remote” connection. These cases are distinguished by whether the connection crosses network infrastructure not controlled by the same entity that controls the client. In the local case the client can depend on support from the network infrastructure (e.g. routing that prevents outside packets from entering). In contrast a remote connection must be sufficient of itself.</p>
<section id="use-cases">
<h2>Use cases<a class="headerlink" href="#use-cases" title="Permalink to this headline">¶</a></h2>
<p>The basic non-proxy connection.</p>
<figure class="align-center" id="id1">
<p class="plantuml">
<object data="_images/plantuml-ce09cd7e6b09dee1c6f80dcb172b4c84f799427f.svg" type="image/svg+xml" style="width:209px;height:282px;">
<img src="_images/plantuml-ce09cd7e6b09dee1c6f80dcb172b4c84f799427f.png" alt="actor Client
entity Upstream
Client -[#green]> Upstream : <font color="green">//TCP Connect//</font>
group Optional
Client -[#blue]> Upstream : <font color="blue">//TLS Connect//</font>
end"/>
</object></p>
<figcaption>
<p><span class="caption-text">Simple connection.</span><a class="headerlink" href="#id1" title="Permalink to this image">¶</a></p>
</figcaption>
</figure>
<p>Adding a proxy.</p>
<figure class="align-center" id="id2">
<p class="plantuml">
<object data="_images/plantuml-3c2202f8778baeafb56f7ec317f3e8f07240ef94.svg" type="image/svg+xml" style="width:315px;height:372px;">
<img src="_images/plantuml-3c2202f8778baeafb56f7ec317f3e8f07240ef94.png" alt="actor Client
participant Proxy
entity Upstream
Client -[#green]> Proxy : <font color="green">//TCP Connect//</font>
group Optional
Client -[#blue]> Proxy : <font color="blue">//TLS Connect//</font>
end
Proxy -[#green]> Upstream : <font color="green">//TCP Connect//</font>
group Optional
Proxy -[#blue]> Upstream : <font color="blue">//TLS Connect//</font>
end"/>
</object></p>
<figcaption>
<p><span class="caption-text">Proxied connection.</span><a class="headerlink" href="#id2" title="Permalink to this image">¶</a></p>
</figcaption>
</figure>
<section id="tls-termination">
<h3>TLS Termination<a class="headerlink" href="#tls-termination" title="Permalink to this headline">¶</a></h3>
<figure class="align-center" id="id3">
<p class="plantuml">
<object data="_images/plantuml-b1a6665f392b8a2abbd99cbe9ce5b050ebee7797.svg" type="image/svg+xml" style="width:297px;height:289px;">
<img src="_images/plantuml-b1a6665f392b8a2abbd99cbe9ce5b050ebee7797.png" alt="actor Client
participant Proxy
entity Upstream
hide footbox
Client -[#green]> Proxy : <font color="green">//TCP Connect//</font>
Client -[#blue]> Proxy : <font color="blue">// TLS Connect //</font>
note over Proxy : Client verifies proxy provided\ncertificate as if for Upstream
Proxy -[#green]> Upstream : <font color="green">//TCP Connect//</font>
Proxy -[#blue]> Upstream : <font color="blue">// TLS Connect //</font>"/>
</object></p>
<figcaption>
<p><span class="caption-text">TLS Termination</span><a class="headerlink" href="#id3" title="Permalink to this image">¶</a></p>
</figcaption>
</figure>
<p>The proxy terminates the TLS connection from the client as it it were the Service. This requires the
proxy to have the private key for the Server public certificate.</p>
</section>
<section id="direct-remote-connect">
<h3>Direct remote connect<a class="headerlink" href="#direct-remote-connect" title="Permalink to this headline">¶</a></h3>
<p>This case assumes a direct remote connection.</p>
<figure class="align-center" id="id4">
<p class="plantuml">
<object data="_images/plantuml-6715bcbcc559f711a527d618d44053cd3430a9b8.svg" type="image/svg+xml" style="width:179px;height:251px;">
<img src="_images/plantuml-6715bcbcc559f711a527d618d44053cd3430a9b8.png" alt="actor Client
entity Upstream
Client -[#green]> Upstream : <font color="green">//TCP Connect//</font>
Client -[#blue]> Upstream : <font color="blue">//TLS Connect//</font>"/>
</object></p>
<figcaption>
<p><span class="caption-text">Simple connection.</span><a class="headerlink" href="#id4" title="Permalink to this image">¶</a></p>
</figcaption>
</figure>
<p>Using a proxy in this scenario can be done using transparency and routing connections through the proxy. However in most environments this level of control of the routing will not be possible and so the client will need to connect to the proxy as if it were the server. In general this will be done by tweaking DNS or reconfiguring the client. When the client connects to the proxy the proxy must in turn connect to the service. Determing the correct upstream connection is the primary challenge. The advantage of transparency is the upstream destination is indicated by the connection. For a TCP only connection from the client the upstream must be explicitly configured in the proxy. If the client connects using TLS then information can be extracted from the initial TLS handshake.</p>
<figure class="align-center" id="id5">
<p class="plantuml">
<object data="_images/plantuml-769257e9ec6830fa5bfaa503eeab4f0e50c63ed5.svg" type="image/svg+xml" style="width:507px;height:349px;">
<img src="_images/plantuml-769257e9ec6830fa5bfaa503eeab4f0e50c63ed5.png" alt="actor Client
participant Proxy
participant Service
Client -[#green]> Proxy : <font color="green">//TCP Connect//</font>
Client -[#blue]-> Service : <font color="blue">TLS ""Client HELLO""</font>
Proxy -[#green]> Service : <font color="green">//TCP Connect//</font>
Proxy -[#blue]-> Service : <font color="blue">TLS ""Client HELLO""</font>
note right : Duplicate of <font color="blue">""Client HELLO""</font>
Client -[#blue]-> Service : <font color="blue">//TLS Connect//</font>"/>
</object></p>
<figcaption>
<p><span class="caption-text">TLS case</span><a class="headerlink" href="#id5" title="Permalink to this image">¶</a></p>
</figcaption>
</figure>
</section>
<section id="remote-explicit-proxy">
<h3>Remote explicit proxy<a class="headerlink" href="#remote-explicit-proxy" title="Permalink to this headline">¶</a></h3>
<p>In this case the client does a remote proxy connection to the service.</p>
<figure class="align-center" id="id6">
<p class="plantuml">
<object data="_images/plantuml-ac0e4a8924e8fd0f949020c10e513dafefefa0d6.svg" type="image/svg+xml" style="width:349px;height:101px;">
<img src="_images/plantuml-ac0e4a8924e8fd0f949020c10e513dafefefa0d6.png" alt="hide empty members
cloud Cloud
actor Client
[Client] <-> [Cloud]
[Cloud] <-> [Proxy]
[Proxy] <-> [Service]"/>
</object></p>
<figcaption>
<p><span class="caption-text">Network Structure</span><a class="headerlink" href="#id6" title="Permalink to this image">¶</a></p>
</figcaption>
</figure>
<figure class="align-center" id="id7">
<p class="plantuml">
<object data="_images/plantuml-0b42980293f68ba572b7591fe7941e83259c0c94.svg" type="image/svg+xml" style="width:344px;height:349px;">
<img src="_images/plantuml-0b42980293f68ba572b7591fe7941e83259c0c94.png" alt="actor Client
participant Proxy
participant Service
Client -[#green]> Proxy : //TCP Connect//
Client -[#red]> Proxy : <font color="red">HTTP ""CONNECT"" Service</font>
Proxy -[#green]> Service : //TCP Connect//
Client -[#blue]-> Service : <font color="blue">//TLS Connect//</font>
note over Proxy : Tunneled by Proxy"/>
</object></p>
<figcaption>
<p><span class="caption-text">Communications</span><a class="headerlink" href="#id7" title="Permalink to this image">¶</a></p>
</figcaption>
</figure>
<p>If the requirement is to secure the connection from the client to the proxy this requires adding local proxy to the client, which then forwards to the remote proxy.</p>
<figure class="align-center" id="id8">
<p class="plantuml">
<object data="_images/plantuml-3ca00765515acb56570c9bb8b646967ad69100da.svg" type="image/svg+xml" style="width:536px;height:101px;">
<img src="_images/plantuml-3ca00765515acb56570c9bb8b646967ad69100da.png" alt="hide empty members
cloud Cloud
actor Client
node "Ingress Proxy" as Ingress
node "Proxy" as Proxy
[Client] <-> [Ingress]
[Ingress] <-> [Cloud]
[Cloud] <-> [Proxy]
[Proxy] <-> [Service]"/>
</object></p>
<figcaption>
<p><span class="caption-text">Adding Local Proxy</span><a class="headerlink" href="#id8" title="Permalink to this image">¶</a></p>
</figcaption>
</figure>
<p>If the client uses TLS.</p>
</section>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/balcora-gate-400x400.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Layer 4 Proxying</a><ul>
<li><a class="reference internal" href="#use-cases">Use cases</a><ul>
<li><a class="reference internal" href="#tls-termination">TLS Termination</a></li>
<li><a class="reference internal" href="#direct-remote-connect">Direct remote connect</a></li>
<li><a class="reference internal" href="#remote-explicit-proxy">Remote explicit proxy</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="body-factory.en.html"
title="previous chapter">Body Factory Refactoring</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="plugin-coordination.en.html"
title="next chapter">Plugin Coordination</a></p>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="_sources/l4r.en.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"/>
<input type="submit" value="Go" />
</form>
</div>
</div>
<script>$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="plugin-coordination.en.html" title="Plugin Coordination"
>next</a> |</li>
<li class="right" >
<a href="body-factory.en.html" title="Body Factory Refactoring"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">SWOC Docs</a> »</li>
<li class="nav-item nav-item-1"><a href="ats-projects.en.html" >Traffic Server Projects</a> »</li>
<li class="nav-item nav-item-this"><a href="">Layer 4 Proxying</a></li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2017, [email protected].
Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 4.1.2.
</div>
</body>
</html>