Apache HttpClient 与 SSL 代理

Defonds 2020-11-13 04:49:34
apache 代理 ssl HttpClient


有这样一个场景,出于安全的考虑,某些操作敏感数据的客户端必须通过 VPN 访问服务器端。这种客户端我们姑且称之为代理访问。访问路由示意图:

HTTPS Client <------- Encrypted CONNECT Requests -------> HTTPS Proxy <------- Encrypted CONNECT Requests -------> HTTPS End-Site

代理地址及端口号作为 Property 参数注入 jvm 进程:https.proxyHosthttps.proxyPort

而大部分客户端不需要 VPN 访问服务器端,只需要通过 HTTPS 直接访问即可。这种客户端我们姑且称之为直连访问。访问路由示意图:

HTTPS Client <------- Encrypted CONNECT Requests -------> HTTPS End-Site
注意:
  • 代理配置是以 global 方式提供,也就是说服务器是同一个,所有被分发的客户端启动的时候都有上述 Property 参数
  • 这种 VPN 代理跟 LB 代理不同之处在于 proxy 不需要配置 SSL 证书,也就是说 VPN 只负责服务的监听和转发

Solution 1:使用 JVM 原生态 java.net 和 javax.net.ssl 工具包

示意代码:

 URL localURL = new URL(urlPath);
URLConnection connection = localURL.openConnection();
HttpURLConnection httpURLConnection = (HttpURLConnection) connection;
if (connection instanceof HttpsURLConnection) {

TrustManager[] tm = {
ignoreCertificationTrustManger};
try {

SSLContext sslContext = SSLContext.getInstance("SSL", "SunJSSE");
sslContext.init(null, tm, new java.security.SecureRandom());
SSLSocketFactory ssf = sslContext.getSocketFactory();
((HttpsURLConnection) httpURLConnection).setSSLSocketFactory(ssf);
((HttpsURLConnection) httpURLConnection).setHostnameVerifier(ignoreHostnameVerifier);
} catch (NoSuchAlgorithmException e1) {

logger.logError(e1.getMessage(), e1);
} catch (NoSuchProviderException e1) {

logger.logError(e1.getMessage(), e1);
} catch (KeyManagementException e1) {

logger.logError(e1.getMessage(), e1);
}
}
httpURLConnection.setDoOutput(true);
httpURLConnection.setRequestMethod("POST");
httpURLConnection.setRequestProperty("Content-Type", "application/octet-stream");
httpURLConnection.setRequestProperty("Accept-Encoding", "chunck");
httpURLConnection.setConnectTimeout(3000);
outputStream = httpURLConnection.getOutputStream();

优点:

  • 能自动识别 https.proxyHosthttps.proxyPort 等 Property
  • 能自动识别直连、代理访问环境,然后决定是否用进程内 Property 挂代理访问

缺点:

  • 单次访问性能差于 Apache HttpClient 工具包,性能减一
  • 连接池化管理差,性能再减一

总之,玩玩或交流学习可以,用于生产环境太儿戏。

Solution 2:使用 Apache HttpClient 工具包的 RequestConfig

示意代码:

 HttpHost target = new HttpHost("defonds.net", 443, "https");
HttpHost proxy = new HttpHost("191.168.1.303", 7443, "https");
RequestConfig config = RequestConfig.custom()
.setProxy(proxy)
.build();
HttpGet request = new HttpGet("/");
request.setConfig(config);
CloseableHttpResponse response = httpclient.execute(target, request);

参考自 Apache 官方示例代码:https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientExecuteProxy.java
直连环境可以,代理环境歇菜。有类似于以下的 SSL 握手问题:

{tls}->https://191.168.1.303:7443->https://defonds.net:443 Connection reset java.net.SocketException: Connection reset at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)

Solution 3:使用 Apache HttpClient 工具包的 HttpRoutePlanner

示意代码:

HttpRoutePlanner routePlanner = new HttpRoutePlanner() {

public HttpRoute determineRoute(
HttpHost target,
HttpRequest request,
HttpContext context) throws HttpException {

return new HttpRoute(target, null, new HttpHost("someproxy", 8080),
"https".equalsIgnoreCase(target.getSchemeName()));
}
};
CloseableHttpClient httpclient = HttpClients.custom()
.setRoutePlanner(routePlanner)
.build();
}
}

参考自 Apache 官方示例代码:http://hc.apache.org/httpcomponents-client-4.5.x/tutorial/html/connmgmt.html#d5e485
上述代码在代理环境可以,直连环境还需自行适配。
优点:

  • 底层做过传输优化,单次性能高于原生态工具包
  • 池化管理高效高性能

缺点:

  • 不能自动识别 https.proxyHosthttps.proxyPort 等 Property
  • 代理 / 直连需显式适配

参考资料

版权声明
本文为[Defonds]所创,转载请带上原文链接,感谢
https://defonds.blog.csdn.net/article/details/102470737

  1. [front end -- JavaScript] knowledge point (IV) -- memory leakage in the project (I)
  2. This mechanism in JS
  3. Vue 3.0 source code learning 1 --- rendering process of components
  4. Learning the realization of canvas and simple drawing
  5. gin里获取http请求过来的参数
  6. vue3的新特性
  7. Get the parameters from HTTP request in gin
  8. New features of vue3
  9. vue-cli 引入腾讯地图(最新 api,rocketmq原理面试
  10. Vue 学习笔记(3,免费Java高级工程师学习资源
  11. Vue 学习笔记(2,Java编程视频教程
  12. Vue cli introduces Tencent maps (the latest API, rocketmq)
  13. Vue learning notes (3, free Java senior engineer learning resources)
  14. Vue learning notes (2, Java programming video tutorial)
  15. 【Vue】—props属性
  16. 【Vue】—创建组件
  17. [Vue] - props attribute
  18. [Vue] - create component
  19. 浅谈vue响应式原理及发布订阅模式和观察者模式
  20. On Vue responsive principle, publish subscribe mode and observer mode
  21. 浅谈vue响应式原理及发布订阅模式和观察者模式
  22. On Vue responsive principle, publish subscribe mode and observer mode
  23. Xiaobai can understand it. It only takes 4 steps to solve the problem of Vue keep alive cache component
  24. Publish, subscribe and observer of design patterns
  25. Summary of common content added in ES6 + (II)
  26. No.8 Vue element admin learning (III) vuex learning and login method analysis
  27. Write a mini webpack project construction tool
  28. Shopping cart (front-end static page preparation)
  29. Introduction to the fluent platform
  30. Webpack5 cache
  31. The difference between drop-down box select option and datalist
  32. CSS review (III)
  33. Node.js学习笔记【七】
  34. Node.js learning notes [VII]
  35. Vue Router根据后台数据加载不同的组件(思考-&gt;实现-&gt;不止于实现)
  36. Vue router loads different components according to background data (thinking - & gt; Implementation - & gt; (more than implementation)
  37. 【JQuery框架,Java编程教程视频下载
  38. [jQuery framework, Java programming tutorial video download
  39. Vue Router根据后台数据加载不同的组件(思考-&gt;实现-&gt;不止于实现)
  40. Vue router loads different components according to background data (thinking - & gt; Implementation - & gt; (more than implementation)
  41. 【Vue,阿里P8大佬亲自教你
  42. 【Vue基础知识总结 5,字节跳动算法工程师面试经验
  43. [Vue, Ali P8 teaches you personally
  44. [Vue basic knowledge summary 5. Interview experience of byte beating Algorithm Engineer
  45. 【问题记录】- 谷歌浏览器 Html生成PDF
  46. [problem record] - PDF generated by Google browser HTML
  47. 【问题记录】- 谷歌浏览器 Html生成PDF
  48. [problem record] - PDF generated by Google browser HTML
  49. 【JavaScript】查漏补缺 —数组中reduce()方法
  50. [JavaScript] leak checking and defect filling - reduce() method in array
  51. 【重识 HTML (3),350道Java面试真题分享
  52. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  53. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  54. [re recognize HTML (3) and share 350 real Java interview questions
  55. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  56. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  57. 【重识 HTML ,nginx面试题阿里
  58. 【重识 HTML (4),ELK原来这么简单
  59. [re recognize HTML, nginx interview questions]
  60. [re recognize HTML (4). Elk is so simple