mirror of
https://github.com/curl/curl.git
synced 2026-06-02 22:04:17 +03:00
e78b1b3ecc
This patch adds two major proxy capabilities to curl (ngtcp2 QUIC):
- HTTP/3 Proxy CONNECT: Tunnel HTTP/1.1 or HTTP/2 traffic through an
HTTPS proxy that speaks HTTP/3 (QUIC) using the standard CONNECT
method over an HTTP/3 connection.
- MASQUE CONNECT-UDP: Tunnel HTTP/3 (QUIC) traffic through an HTTP
proxy (speaking HTTP/1.1, HTTP/2, or HTTP/3) using the extended
CONNECT method with the CONNECT-UDP protocol (RFC9297 & RFC9298).
Public API additions:
- `CURLPROXY_HTTPS3`: new proxy type constant for HTTP/3 proxy
- `--proxy-http3`: new CLI flag to negotiate HTTP/3 with HTTPS proxy
The implementation adds two new filters:
- `H3-PROXY` - enables negotiating HTTP/3 (QUIC) to the proxy and
running CONNECT/CONNECT-UDP through that proxy transport.
- `CAPSULE` - dedicated filter inserted between QUIC transport and
HTTP-PROXY to handle datagram capsule encapsulation/decapsulation.
Here is how the curl filter chaining looks in different scenarios:
- HTTP/3 Proxy CONNECT (tunneling TCP protocols over QUIC proxy):
conn -> HTTP/1.1 or HTTP/2 -> SSL -> HTTP-PROXY ->
H3-PROXY -> HAPPY-EYEBALLS -> UDP
- MASQUE CONNECT-UDP (tunneling QUIC over any proxy):
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H3-PROXY ->
HAPPY-EYEBALLS -> UDP
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H1-PROXY or H2-PROXY ->
SSL -> HAPPY-EYEBALLS -> TCP
- Both features currently require the ngtcp2 QUIC backend.
- Both features are experimental (disabled by default). Enable with
`--enable-proxy-http3`(autotools) or `-DUSE_PROXY_HTTP3=ON`(CMake).
Tests:
- tests/unit/unit3400.c: Unit tests for capsule protocol encode/decode
- tests/http/test_60_h3_proxy.py: Comprehensive pytest integration suite
- tests/http/testenv/h2o.py: Managing h2o instances with HTTP/1.1, HTTP/2,
and HTTP/3 (QUIC) listeners, proxy.connect and proxy.connect-udp enabled.
References:
RFC 9297 - HTTP Datagrams and the Capsule Protocol
RFC 9298 - Proxying UDP in HTTP
RFC 9000 §16 — Variable-Length Integer Encoding
Signed-off-by: Aritra Basu <aritrbas+gh@cisco.com>
Closes #21153
321 lines
6.3 KiB
Makefile
321 lines
6.3 KiB
Makefile
#***************************************************************************
|
|
# _ _ ____ _
|
|
# Project ___| | | | _ \| |
|
|
# / __| | | | |_) | |
|
|
# | (__| |_| | _ <| |___
|
|
# \___|\___/|_| \_\_____|
|
|
#
|
|
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
#
|
|
# This software is licensed as described in the file COPYING, which
|
|
# you should have received as part of this distribution. The terms
|
|
# are also available at https://curl.se/docs/copyright.html.
|
|
#
|
|
# You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
# copies of the Software, and permit persons to whom the Software is
|
|
# furnished to do so, under the terms of the COPYING file.
|
|
#
|
|
# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
# KIND, either express or implied.
|
|
#
|
|
# SPDX-License-Identifier: curl
|
|
#
|
|
###########################################################################
|
|
# Shared between CMakeLists.txt and Makefile.am
|
|
|
|
SUPPORT = \
|
|
_AUTHORS.md \
|
|
_BUGS.md \
|
|
_DESCRIPTION.md \
|
|
_ENVIRONMENT.md \
|
|
_EXITCODES.md \
|
|
_FILES.md \
|
|
_GLOBBING.md \
|
|
_NAME.md \
|
|
_OPTIONS.md \
|
|
_OUTPUT.md \
|
|
_PROGRESS.md \
|
|
_PROTOCOLS.md \
|
|
_PROXYPREFIX.md \
|
|
_SEEALSO.md \
|
|
_SYNOPSIS.md \
|
|
_URL.md \
|
|
_VARIABLES.md \
|
|
_VERSION.md \
|
|
_WWW.md
|
|
|
|
DPAGES = \
|
|
abstract-unix-socket.md \
|
|
alt-svc.md \
|
|
anyauth.md \
|
|
append.md \
|
|
aws-sigv4.md \
|
|
basic.md \
|
|
ca-native.md \
|
|
cacert.md \
|
|
capath.md \
|
|
cert-status.md \
|
|
cert-type.md \
|
|
cert.md \
|
|
ciphers.md \
|
|
compressed-ssh.md \
|
|
compressed.md \
|
|
config.md \
|
|
connect-timeout.md \
|
|
connect-to.md \
|
|
continue-at.md \
|
|
cookie-jar.md \
|
|
cookie.md \
|
|
create-dirs.md \
|
|
create-file-mode.md \
|
|
crlf.md \
|
|
crlfile.md \
|
|
curves.md \
|
|
data-ascii.md \
|
|
data-binary.md \
|
|
data-raw.md \
|
|
data-urlencode.md \
|
|
data.md \
|
|
delegation.md \
|
|
digest.md \
|
|
disable-eprt.md \
|
|
disable-epsv.md \
|
|
disable.md \
|
|
disallow-username-in-url.md \
|
|
dns-interface.md \
|
|
dns-ipv4-addr.md \
|
|
dns-ipv6-addr.md \
|
|
dns-servers.md \
|
|
doh-cert-status.md \
|
|
doh-insecure.md \
|
|
doh-url.md \
|
|
dump-ca-embed.md \
|
|
dump-header.md \
|
|
ech.md \
|
|
egd-file.md \
|
|
engine.md \
|
|
etag-compare.md \
|
|
etag-save.md \
|
|
expect100-timeout.md \
|
|
fail-early.md \
|
|
fail-with-body.md \
|
|
fail.md \
|
|
false-start.md \
|
|
follow.md \
|
|
form-escape.md \
|
|
form-string.md \
|
|
form.md \
|
|
ftp-account.md \
|
|
ftp-alternative-to-user.md \
|
|
ftp-create-dirs.md \
|
|
ftp-method.md \
|
|
ftp-pasv.md \
|
|
ftp-port.md \
|
|
ftp-pret.md \
|
|
ftp-skip-pasv-ip.md \
|
|
ftp-ssl-ccc-mode.md \
|
|
ftp-ssl-ccc.md \
|
|
ftp-ssl-control.md \
|
|
get.md \
|
|
globoff.md \
|
|
happy-eyeballs-timeout-ms.md \
|
|
haproxy-protocol.md \
|
|
haproxy-clientip.md \
|
|
head.md \
|
|
header.md \
|
|
help.md \
|
|
hostpubmd5.md \
|
|
hostpubsha256.md \
|
|
hsts.md \
|
|
http0.9.md \
|
|
http1.0.md \
|
|
http1.1.md \
|
|
http2-prior-knowledge.md \
|
|
http2.md \
|
|
http3.md \
|
|
http3-only.md \
|
|
ignore-content-length.md \
|
|
insecure.md \
|
|
interface.md \
|
|
ip-tos.md \
|
|
ipfs-gateway.md \
|
|
ipv4.md \
|
|
ipv6.md \
|
|
json.md \
|
|
junk-session-cookies.md \
|
|
keepalive-cnt.md \
|
|
keepalive-time.md \
|
|
key-type.md \
|
|
key.md \
|
|
knownhosts.md \
|
|
krb.md \
|
|
libcurl.md \
|
|
limit-rate.md \
|
|
list-only.md \
|
|
local-port.md \
|
|
location-trusted.md \
|
|
location.md \
|
|
login-options.md \
|
|
mail-auth.md \
|
|
mail-from.md \
|
|
mail-rcpt-allowfails.md \
|
|
mail-rcpt.md \
|
|
manual.md \
|
|
max-filesize.md \
|
|
max-redirs.md \
|
|
max-time.md \
|
|
metalink.md \
|
|
mptcp.md \
|
|
negotiate.md \
|
|
netrc-file.md \
|
|
netrc-optional.md \
|
|
netrc.md \
|
|
next.md \
|
|
no-alpn.md \
|
|
no-buffer.md \
|
|
no-clobber.md \
|
|
no-keepalive.md \
|
|
no-npn.md \
|
|
no-progress-meter.md \
|
|
no-sessionid.md \
|
|
noproxy.md \
|
|
ntlm-wb.md \
|
|
ntlm.md \
|
|
oauth2-bearer.md \
|
|
output-dir.md \
|
|
out-null.md \
|
|
output.md \
|
|
parallel-immediate.md \
|
|
parallel-max-host.md \
|
|
parallel-max.md \
|
|
parallel.md \
|
|
pass.md \
|
|
path-as-is.md \
|
|
pinnedpubkey.md \
|
|
post301.md \
|
|
post302.md \
|
|
post303.md \
|
|
preproxy.md \
|
|
progress-bar.md \
|
|
proto-default.md \
|
|
proto-redir.md \
|
|
proto.md \
|
|
proxy-anyauth.md \
|
|
proxy-basic.md \
|
|
proxy-ca-native.md \
|
|
proxy-cacert.md \
|
|
proxy-capath.md \
|
|
proxy-cert-type.md \
|
|
proxy-cert.md \
|
|
proxy-ciphers.md \
|
|
proxy-crlfile.md \
|
|
proxy-digest.md \
|
|
proxy-header.md \
|
|
proxy-http2.md \
|
|
proxy-http3.md \
|
|
proxy-insecure.md \
|
|
proxy-key-type.md \
|
|
proxy-key.md \
|
|
proxy-negotiate.md \
|
|
proxy-ntlm.md \
|
|
proxy-pass.md \
|
|
proxy-pinnedpubkey.md \
|
|
proxy-service-name.md \
|
|
proxy-ssl-allow-beast.md \
|
|
proxy-ssl-auto-client-cert.md \
|
|
proxy-tls13-ciphers.md \
|
|
proxy-tlsauthtype.md \
|
|
proxy-tlspassword.md \
|
|
proxy-tlsuser.md \
|
|
proxy-tlsv1.md \
|
|
proxy-user.md \
|
|
proxy.md \
|
|
proxy1.0.md \
|
|
proxytunnel.md \
|
|
pubkey.md \
|
|
quote.md \
|
|
random-file.md \
|
|
range.md \
|
|
rate.md \
|
|
raw.md \
|
|
referer.md \
|
|
remote-header-name.md \
|
|
remote-name-all.md \
|
|
remote-name.md \
|
|
remote-time.md \
|
|
remove-on-error.md \
|
|
request-target.md \
|
|
request.md \
|
|
resolve.md \
|
|
retry-all-errors.md \
|
|
retry-connrefused.md \
|
|
retry-delay.md \
|
|
retry-max-time.md \
|
|
retry.md \
|
|
sasl-authzid.md \
|
|
sasl-ir.md \
|
|
service-name.md \
|
|
show-error.md \
|
|
show-headers.md \
|
|
silent.md \
|
|
sigalgs.md \
|
|
skip-existing.md \
|
|
socks4.md \
|
|
socks4a.md \
|
|
socks5-basic.md \
|
|
socks5-gssapi-nec.md \
|
|
socks5-gssapi-service.md \
|
|
socks5-gssapi.md \
|
|
socks5-hostname.md \
|
|
socks5.md \
|
|
speed-limit.md \
|
|
speed-time.md \
|
|
ssl-allow-beast.md \
|
|
ssl-auto-client-cert.md \
|
|
ssl-no-revoke.md \
|
|
ssl-reqd.md \
|
|
ssl-revoke-best-effort.md \
|
|
ssl-sessions.md \
|
|
ssl.md \
|
|
sslv2.md \
|
|
sslv3.md \
|
|
stderr.md \
|
|
styled-output.md \
|
|
suppress-connect-headers.md \
|
|
tcp-fastopen.md \
|
|
tcp-nodelay.md \
|
|
telnet-option.md \
|
|
tftp-blksize.md \
|
|
tftp-no-options.md \
|
|
time-cond.md \
|
|
tls-earlydata.md \
|
|
tls-max.md \
|
|
tls13-ciphers.md \
|
|
tlsauthtype.md \
|
|
tlspassword.md \
|
|
tlsuser.md \
|
|
tlsv1.0.md \
|
|
tlsv1.1.md \
|
|
tlsv1.2.md \
|
|
tlsv1.3.md \
|
|
tlsv1.md \
|
|
tr-encoding.md \
|
|
trace-ascii.md \
|
|
trace-config.md \
|
|
trace-ids.md \
|
|
trace-time.md \
|
|
trace.md \
|
|
unix-socket.md \
|
|
upload-file.md \
|
|
upload-flags.md \
|
|
url.md \
|
|
url-query.md \
|
|
use-ascii.md \
|
|
user-agent.md \
|
|
user.md \
|
|
variable.md \
|
|
verbose.md \
|
|
version.md \
|
|
vlan-priority.md \
|
|
write-out.md \
|
|
xattr.md
|