Add support for HTTPS proxy URLs in Fluent Bit #11804
antoniomrfranco
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello everyone,
The current version of Fluent Bit restricts the proxy scheme to
http, as it does not currently implement TLS for the proxy connection. I opened this PR to add support for thehttpsscheme in proxy URLs.When
httpsis used in the proxy URL, Fluent Bit first establishes a TLS connection to the proxy endpoint. If the destination URL is alsohttps, Fluent Bit can then send aCONNECTrequest through that TLS-terminated proxy connection and establish a second TLS session through the tunnel to reach the destination server.For example:
In other words, this allows a setup like:
I understand that using TLS for the client-to-proxy connection does not necessarily add a significant security benefit when the destination traffic is already encrypted. However, I have seen some enterprise environments requiring or standardizing on TLS-terminated proxy endpoints.
One example would be a highly available proxy deployment where a load balancer terminates TLS in front of multiple proxy instances:
In this kind of setup, the proxy URL exposed to clients is still
https://proxy.example.com, even if the traffic from the load balancer to the backend proxy instances uses plain HTTP internally. AWS Network Load Balancer supports TLS listeners/TLS termination, which makes this a realistic deployment pattern for high availability.This is also consistent with what many HTTP clients and libraries already support today. For example, urllib3 documents support for both HTTP and HTTPS proxies, where the HTTPS proxy case means establishing a TLS connection to the proxy first.
I’d appreciate any feedback and would love to have this considered for a future release.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions