• Stars
    star
    527
  • Rank 84,091 (Top 2 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 12 years ago
  • Updated over 8 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SPDY forwarding proxy - fast and secure

SPDY Proxy

Google Chrome comes with built-in support for SSL-based proxies, which means that we can give Chrome an HTTPS proxy URL, and the rest is taken care of: a TLS tunnel is first established to the proxy, and the proxied requests are sent over a secure link. No eavesdropping allowed! This is a huge improvement over regular HTTP proxies, which can also tunnel SSL, but in the process leak information about the site we're connecting to - read more about Chrome and secure proxies. This allow a number of new and interesting use cases:

  • End-to-end secure browsing for all sites (HTTP, HTTPS, SPDY) - no sniffing!
  • Web VPN: secure access to internal servers and services without relying on heavy TCP VPN solutions

Where does SPDY fit in here? When the SSL handshake is done, the browser and the server can agree to establish a SPDY session by using SSL NPN (RFC). If both sides support SPDY, then all communication between browser and proxy can be done over SPDY:

SPDY Proxy Diagram

  • All browser <-> proxy communication is done over SSL
  • SPDY Proxy and Chrome communicate via SPDY (v2)
  • Browser requests are routed via SPDY proxy to destination

Notice that we can route both HTTP and HTTPS requests through the SPDY tunnel. To establish an HTTPS session, the browser sends a CONNECT request to the proxy with the hostname of the secure server (ex, https://google.com), the proxy establishes the TCP connection and then simply transfers the encrypted bytes between the streams - the proxy only knows that you wanted to connect to Google, but cannot see any of your actual traffic - we're tunneling SSL over SSL!

Same logic applies for tunneling SPDY! We can establish a SPDY v2 tunnel to the proxy, and then tunnel SPDY v3 connections over it.

Installation & Configuration

SPDY proxy requires node.js 0.8.x+. Grab the package for your platform from the node site. Once node.js is installed, you can use npm (node package manager) to install SPDY Proxy:

$> npm install -g spdyproxy
$> spdyproxy --help

To run the proxy, you need to provide your SSL keys:

$> spdyproxy -k keys/mykey.pem -c keys/mycert.pem -p 44300

With that, you should have a SPDY proxy running on port 44300.

Configuring Google Chrome

Google Chrome uses PAC (proxy auto-config) files to choose the appropriate proxy server for fetching any URL. The PAC file itself, is just a simple JavaScript function:

function FindProxyForURL(url, host) {
  return "HTTPS proxy.example.com:8080; DIRECT";
}

The above file tells the browser to proxy all requests via a secure proxy on port 8080, and if the proxy fails, then try to connect directly to the host. However, the PAC file allows us to create much more interesting scenarios: proxy specific URLs or hostnames, proxy rules based on DNS resolution results, and more. See PAC directory for examples.

DIY demo setup

To do a quick local test, start the SPDY proxy on your machine, and start Chrome with the --proxy-pac-url flag:

$> spdyproxy -k keys/mykey.pem -c keys/mycert.pem -p 44300 -v
$> "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --proxy-pac-url=file:///path/to/config.pac --use-npn

SPDY Proxy

Securing the proxy

To run a secure (SPDY) proxy your will need a valid SSL certificate on the server, and also make sure that your client will accept this certificate without any errors. If you're generating a self-signed certificate, then you will need to manually import it into your client keychain - otherwise, the browser will terminate the connection. To create a self-signed certificate:

$> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.pem -out mycert.pem

# on OSX, you now need to manually add mycert.pem to your keychain (for local testing)
# -> lauch Keychain app, drag the key into the app, and mark it as accepted

Protip: You can get a free, signed SSL certificate for your domain via StartSSL.

Once the proxy server is running, it is accessible by any client that wants to use it. To restrict access, you can use regular firewall rules, IP blacklists, etc. Alternatively, SPDY proxy supports Basic-Auth proxy authentication. Recall that all communication between client and server is done over SSL, hence all auth data is secure! The first time your browser connects to the proxy, it will ask for a login and password. After that, the browser will automatically append the authentication headers.

# pass in -U and -P flags to spdyproxy to set the Basic-Auth username and password
$> spdyproxy -k keys/mykey.pem -c keys/mycert.pem -p 44300 -U user -P pass

Two way SSL authentication

SPDY proxy server authenticate client by SSL certificate.

#generate key and CSR for client
openssl req -out client1.csr -new -newkey rsa:2048 -nodes -keyout client1.pem
#sign client CSR using server's key, use -CAserial mycert.srl if serial file alreday exists otherwise use -CAcreateserial
openssl x509 -req -in client1.csr -CA mycert.pem -CAkey mykey.pem -CAcreateserial -out client1.cer
#export client certificate to pfx file so that it can be imported into client's browsers manually
openssl pkcs12 -export -out client1.pfx -inkey client1.pem -in client1.cer

Now run the SPDY proxy server as

#use -C and -a to validate client certificate
spdyproxy  -k keys/mykey.pem -c keys/mycert.pem -p 44300  -a keys/mycert.pem -C

To use the proxy server, a client certificate must be presented.

Other resources

License

(MIT License) - Copyright (c) 2012 Ilya Grigorik

More Repositories

1

videospeed

HTML5 video speed controller (for Google Chrome)
JavaScript
3,812
star
2

ga-beacon

Google Analytics collector-as-a-service (using GA measurement protocol).
Go
3,536
star
3

gharchive.org

GH Archive is a project to record the public GitHub timeline, archive it, and make it easily accessible for further analysis.
Ruby
2,680
star
4

em-websocket

EventMachine based WebSocket server
Ruby
1,690
star
5

decisiontree

ID3-based implementation of the ML Decision Tree algorithm
Ruby
1,437
star
6

em-http-request

Asynchronous HTTP Client (EventMachine + Ruby)
Ruby
1,219
star
7

em-synchrony

Fiber aware EventMachine clients and convenience classes
Ruby
1,041
star
8

http-2

Pure Ruby implementation of HTTP/2 protocol
Ruby
894
star
9

bugspots

Implementation of simple bug prediction hotspot heuristic
Ruby
853
star
10

agent

Agent is an attempt at modelling Go-like concurrency, in Ruby
Ruby
729
star
11

vimgolf

Real Vim ninjas count every keystroke - do you?
Ruby
678
star
12

em-proxy

EventMachine Proxy DSL for writing high-performance transparent / intercepting proxies in Ruby
Ruby
662
star
13

bloomfilter-rb

BloomFilter(s) in Ruby: Native counting filter + Redis counting/non-counting filters
C
472
star
14

async-rails

async Rails 3 stack demo
Ruby
465
star
15

istlsfastyet.com

Is TLS fast yet? Yes, yes it is.
HTML
422
star
16

hackernews-button

Embeddable Hacker News button + vote counter for your site
Go
415
star
17

http-client-hints

Ruby
402
star
18

spdy

SPDY is a protocol designed to reduce latency of web pages
Ruby
315
star
19

hpbn.co

High Performance Browser Networking (O'Reilly)
HTML
299
star
20

webp-detect

WebP with Accept negotiation
C++
242
star
21

zeroconf-router

Zero-config reverse proxies: let's get there!
Ruby
206
star
22

autoperf

Ruby driver for httperf - automated load and performance testing
Ruby
179
star
23

PubSubHubbub

Asynchronous PubSubHubbub Ruby Client
Ruby
175
star
24

heroku-buildpack-dart

Heroku buildpack for Dart
Shell
170
star
25

rack-speedtracer

SpeedTracer middleware for server side debugging
Ruby
155
star
26

textquery

Evaluate any text against a collection of match rules
Ruby
145
star
27

tokyo-recipes

Lean & mean Tokyo Cabinet recipes (with Lua)
Lua
143
star
28

slowgrowl

Surface slow code paths in your Rails 3 app via Growl
Ruby
116
star
29

mneme

Mneme is an HTTP web-service for recording and identifying previously seen records - aka, duplicate detection.
Ruby
108
star
30

RRRDTool

Round robin database pattern via Redis sorted sets
Ruby
79
star
31

pregel

Single-node implementation of Google's Pregel framework for graph processing.
Ruby
74
star
32

gmetric

Pure Ruby interface for generating Ganglia gmetric packets
Ruby
69
star
33

rack-aggregate

Rack response-time statistics aggregator middleware
Ruby
67
star
34

em-jack

An Evented Beanstalk Client
Ruby
64
star
35

rb-pagerank

Code from RailsConf '09 pres: Building Mini Google in Ruby
Ruby
54
star
36

closure-sprockets

Sprockets processor for Google's Closure tools
Python
54
star
37

netinfo-monitor

Displays network quality as reported by Network Information API.
JavaScript
48
star
38

shopify-core-web-vitals

This embedded app provides a report on how real-world Google Chrome users experience the Shopify-powered storefront, as captured by the Chrome UX Report, and enables the site owner to benchmark their site against a custom list of competitors.
Ruby
48
star
39

libsnappy

Snappy, a fast compressor/decompressor (courtesy of Google)
Ruby
46
star
40

hydra5

Load-balanced (multi-headed) SOCKS5 proxy
Ruby
42
star
41

zdevice

ZDevice is a Ruby DSL for assembling ZeroMQ routing devices, with support for the ZDCF configuration syntax
Ruby
42
star
42

ruby2lolz

Ruby to Lolcode translator, kthnxbai.
Ruby
38
star
43

bmr-wordcount

Browser Map-Reduce: distributed word count example
Ruby
33
star
44

resource-hints

Moved to...
JavaScript
32
star
45

gitter

XML history generator for CodeSwarm
32
star
46

em-socksify

Transparent proxy support for any EventMachine protocol
Ruby
31
star
47

em-handlersocket

EventMachine HandlerSocket MySQL plugin for direct read/write of InnoDB tables
Ruby
29
star
48

canicrawl

Hosted robots.txt permissions verifier
Go
23
star
49

udacity-webperf

JavaScript
17
star
50

omnipipe

web pipes for your browser's omnibar!
Ruby
12
star
51

issue-tracker

W3C webperf issue tracker
JavaScript
11
star
52

contextual

runtime contextual HTML autoescaper
Ruby
10
star
53

presentations

Slides, notes, code examples from some of the bigger conferences & talks.
9
star
54

libgeohash

Ruby FFI wrapper for libgeohash
Ruby
7
star
55

performance-observer

JavaScript
7
star
56

ImageQuote

Convert text quotes to images
Ruby
7
star
57

resourcehints.info

HTML
2
star
58

igrigorik

1
star