Node.js implementation of HTTP tunneling
This is a network architecture prototype which illustrates the way HTTP tunneling (forwarding of TCP connections) is used to handle the internet traffic. It emulates how internet clients communicate with a production server through a public-facing reverse proxy that uses HTTP tunneling to manages the connections as well as the incoming and outgoing traffic on behalf of the server.
It comes with a full, user-friendly monitoring interface and will provide useful insights on what’s actually happening at the transport layer level during http or network transactions at large.
This project was designed with the goal of emulating some actual internet traffic :
client
, proxy
and server
.bridge
networks are used as well, each with their own subnet mask and gateway:ntw-internet
: emulates the internet, to which the client
containers are connected.ntw-local
: emulates the local isolated network of a business/cloud provider, to which the server
container is connected.proxy
container is connected to both ntw-internet
and ntw-local
in order to function as a reverse proxy (thus having 2 network interfaces).The purpose is also to illustrate the fundamentals of proxied client/server communication, so :
client
process issues a request
to proxy
to open a proxied connection to server
.connect
event, thus indicating that the connection is established.client
and server
processes happen by reading from and writing to the proxied connection’s TCP socket.client
, proxy
and server
containers logs on a single screen and monitor the traffic.The server container emulates a production server running in an isolated network.
The server
process can run in two modes :
HTTP mode
http.Server
instance runs on top of the proxied connections.200 (OK)
.400 (Bad Request)
and closes the proxied connection. TCP mode
net.Server
instance runs on top of the proxied connections.The proxy container emulates a public facing reverse proxy, running in an isolated network but also connected to the internet
http.Server
instance.client
and server
containers when issued a HTTP CONNECT
request.stream.Duplex
) to the client
.Note: all traffic between client
and proxy
containers is secured by TLSv1.3 (a TLS layer has been added between the clients TCP sockets and the Node.js http.Server
instance handling them inside the proxy). As a result, the traffic between the clients and the server that would be publicly exposed in a real world situation is encrypted.
The client container emulates a host connected to the internet, sending requests to and receiving responses from the production server through the reverse proxy
http.request
to issue a HTTP CONNECT
request to the proxy
container at startup.stream.Duplex
) once the connection to server
is established.server
).Navigate to your install directory and type the following commands sequence :
git clone https://github.com/mulekick/node-http-tunnel.git
to clone the repository.cd node-http-tunnel
to cd into it.. tunnel.sh tls
to configure the TLS layer by generating a certificate and a private key that will be used by the proxy
process.. tunnel.sh build
to build the Docker images for the client
, proxy
and server
containers.When in the node-http-tunnel
directory, type one of the following commands :
. tunnel.sh start http
ntw-internet
and ntw-local
.server
in HTTP mode (web server) and attaches it to ntw-local
.proxy
and attaches it to ntw-local
and ntw-internet
.client-1
and client-2
and attaches them to ntw-internet
.. tunnel.sh start tcp
ntw-internet
and ntw-local
.server
in TCP mode (echo server) and attaches it to ntw-local
.proxy
and attaches it to ntw-local
and ntw-internet
.client-1
and client-2
and attaches them to ntw-internet
.Once the containers are started and the tmux session is up :
docker exec -it client-1 /bin/bash
to open a shell inside container client-1
(or client-2
)./src/client-pipe
to have the client send it to the server through the proxied connection.client
and server
containers.exit
or Ctrl-D
to exit the container and return to the spare shell.Note: dont forget that your proxied connection will be terminated if you send anything that is not a valid HTTP message when the server
container runs in HTTP mode. Some sample well-formatted HTTP messages are provided in /HTTPMSGS, cat these into /src/client-pipe
to have the server respond with nice Pepe the Frog ASCII art.
When in the node-http-tunnel
directory (in the spare shell or elsewhere), type the following command:
. tunnel.sh stop
client-1
, client-2
, server
and proxy
(thus terminating all network connections)ntw-internet
and ntw-local
cd
, echo
and cat
) is required.proxy
container to block irrelevant/malicious connection attempts. I may do it later using iptables.