Web intranet penetration implementation based on HTTP/2

Web intranet penetration implementation based on HTTP/2

HTTP/2 introduces the binary frame separation layer to split requests and responses in HTTP/1.1 into finer-grained frames ), in this way, priority, traffic control, and Server Push are implemented. HTTP/2 can open multiple streams on a single TCP connection to achieve multiplexing; HTTP/2 uses a static dictionary, a dynamic dictionary, and a Heman encoding to compress the request/response header. In short, HTTP/2 solves many problems of HTTP/1.1 at the protocol level.

In my previous article, I introduced how to enable Intranet WEB access in other network environments through ngrok. The service to be implemented in this article is similar to ngrok. I call it Pangolin. Chinese is the meaning of Pangolin (the name is from a similar project of my colleague, and I would like to thank you here ). The message forwarding between the Pangolin client and the server is implemented using the HTTP/2 service provided by the Node. js module of the node-http2.

The requirement for Pangolin comes from the user comment (via) of this blog ). In fact, there are many software that can implement similar functions. Some use private protocols for forwarding, and some use WebSocket for forwarding. In my opinion, HTTP/2 should be a good choice and I plan to give it a try. In the end I spent an hour implementing a preliminary usable version, with no more than 200 lines of code in addition to the node-http2. I put the code on github. If you are interested, you can have a try.

The following describes how it works. I drew a sketch:

 

The leftmost is the browser used to access the service. It may be in the public network or other Intranet. the rightmost is the HTTP Server that actually provides the WEB service, which is in the intranet. Obviously, the browser on the Left cannot directly access the WEB service on the right. It can only use public network nodes as the bridge. The intermediate pangolin server runs on the public network node, and the Pangolin client runs on the same machine as the WEB service or in the same network segment.

After the browser initiates a request, the request message flows from left to right along the Green Arrow. Each node is equivalent to the HTTP Server of the adjacent node on the left. The only problem occurs between the Pangolin Server and the client: the client is located in the Intranet. Normally, the Pangolin Server cannot connect to the HTTP Server provided by the client.

I used a clever solution to solve this problem: Because the Pangolin Server has a public IP address, you can enable the TCP Server, and the client can establish a TCP connection with the Server through the IP address and the agreed port. So as long as a little transformation of the node-http2 code, so that it can be based on the specified socket to create HTTP/2 Server, send HTTP/2 Request, you can get through all the nodes. After this problem is solved, the request on the left side can reach the right side, and the response data can also be returned step by step along the previous connection.

Using HTTP/2 between the Pangolin server and the client can greatly improve performance and reduce Program Complexity. Using HTTP/1.1 externally ensures compatibility with existing systems.

To achieve Intranet penetration, Pangolin requires the following preparation:

Enable TCP Server on the Pangolin Server;

The Pangolin Client starts the TCP Client and connects to the Pangolin server to obtain the socket persistent connection;

The Pangolin client connects to HTTP/2 Server based on this socket;

The Pangolin Server enables the HTTP/1.1 Server and waits for the browser to access it;

The actual data transmission process is as follows:

The browser initiates a request (HTTP/1.1) to the Pangolin server );

The Pangolin server initiates a request (HTTP/2) to the Pangolin client based on an existing socket );

The Pangolin client initiates a request to the Intranet WEB service to obtain a response (HTTP/1.1 );

Based on the existing socket, The Pangolin client returns the response to the Pangolin server (HTTP/2 );

The Pangolin server returns the response to the browser (HTTP/1.1 );

Because the Pangolin client uses HTTP forwarding instead of TCP tunnel, you can easily implement a management interface like ngrok to view the complete Request/Response information. At present, I simply printed the request log.

The HTTP/2 protocol itself does not stipulate that it must be deployed based on TLS. HTTP/2 without a security layer is called h2c (HTTP/2 Cleartext ). Currently, all browsers do not intend to support h2c. However, if a system does not have such high security requirements or has passed other solutions to ensure security, it is also a good choice to deploy h2c. Now many HTTP/2 tools and libraries support both h2 and h2c, as does node-http2.

In fact, for the convenience of testing, I also chose h2c when implementing pangolin. Through Wireshark packet capture, we can see that the HTTP/2 layer is directly the TCP layer: