HTTP(S) Proxy in Golang in less than 100 lines of code

Michał Łowicki
Oct 28, 2017 · 5 min read

The goal is to implement a proxy server for HTTP and HTTPS. Handling of HTTP is a matter of parsing request, passing such request to destination server, reading response and passing it back to the client. All we need for that is built-in HTTP server and client (net/http). HTTPS is different as it’ll use technique called HTTP CONNECT tunneling. First client sends request using HTTP CONNECT method to set up the tunnel between the client and destination server. When such tunnel consisting of two TCP connections is ready, client starts regular TLS handshake with destination server to establish secure connection and later send requests and receive responses.

Certificates

Our proxy will be an HTTPS server (when —-proto https will be used) so we need certificate and private key. For the purpose of this post let’s use self-signed certificate. To generate one use such script:

It’s required to convince your OS to trust such certificate. In OS X it can be done with Keychain Access — https://tosbourn.com/getting-os-x-to-trust-self-signed-ssl-certificates/.

HTTP

To support HTTP we’ll use built-in HTTP server and client. The role of proxy is to handle HTTP request, pass such request to destination server and send response back to the client.

HTTP CONNECT tunneling

Suppose client wants to use either HTTPS or WebSockets in order to talk to server. Client is aware of using proxy. Simple HTTP request / response flow cannot be used since client needs to e.g. establish secure connection with server (HTTPS) or wants to use other protocol over TCP connection (WebSockets). Technique which works is to use HTTP CONNECT method. It tells the proxy server to establish TCP connection with destination server and when done to proxy the TCP stream to and from the client. This way proxy server won’t terminate SSL but will simply pass data between client and destination server so these two parties can establish secure connection.

Implementation

Presented code is not a production-grade solution. It lacks e.g. handling hop-by-hop headers, setting up timeouts while copying data between two connections or the ones exposed by net/http — more on this in “The complete guide to Go net/http timeouts”.

Our server while getting request will take one of two paths: handling HTTP or handling HTTP CONNECT tunneling. This is done with:

Function to handle HTTP — handleHTTP is self-explanatory so let’s focus on handling tunneling. The first part of handleTunneling is about setting connection to destination server:

Next we’ve a part to hijack connection maintained by HTTP server:

Hijacker interface allows to take over the connection. After that the caller is responsible to manage such connection (HTTP library won’t do it anymore).

Once we’ve two TCP connections (client→proxy, proxy→destination server) we need to set tunnel up:

In two goroutines data is copied in two directions: from the client to the destination server and backward.

Testing

To test our proxy you can use e.g. Chrome:

or Curl:

curl needs to be built with HTTPS-proxy support (introduced in 7.52.0).

HTTP/2

In our server HTTP/2 support has been deliberately removed because then hijacking is not possible. More on this in #14797.

Update

Please read https://medium.com/@mlowicki/https-proxies-support-in-go-1-10-b956fb501d6b about support for HTTPS proxies in Go 1.10.


👏👏👏 below to help others discover this story. Please follow me here or on Twitter if you want to get updates about new posts or boost work on future stories.

Michał Łowicki

Written by

Software engineering manager at Facebook, previously Opera, never satisfied.