Transparently proxying transport protocol connections using an external server

摘要

Methods and apparatus are disclosed for processing data packets using a router and a proxy in order to transparently proxy a connection between a client and a server. One method involves mapping a TCP connection to a connection ID and sending a segment from the TCP connection to a proxy, including the connection ID, a direction value and an identifier of an assigned proxy application, such that the segment appears to be from the connection. The method further involves a proxy creating and reading from an IP socket which corresponds to the segment, the connection ID, direction and assigned proxy application and then spoofing the segment using the connection ID, a second direction value, and an identifier of the assigned proxy application.

主权项

1. A method of processing data packets using a router and a proxy comprising:
the router receiving, from a client device, a first data segment associated with a transport protocol connection; wherein the transport protocol connection is a Transmission Control Protocol (TCP) connection; wherein the first data segment is sent from the client device to a server through the router; the router determining a connection identifier from a mapping of the TCP connection to the connection identifier and to a plurality of values that identify a source, a destination, and the TCP protocol; the router sending the first data segment to the proxy in a first message that comprises the connection identifier, a first direction value, and an identifier of a proxy application that is hosted in the proxy; wherein the first message conforms to a protocol for exchanging messages between the router and the proxy, and wherein the first direction value included in the first message indicates to the proxy a socket to which the first data segment is to be written; the router receiving from the proxy a second message that comprises a response data segment, wherein the second message further comprises the connection identifier, the first direction value, and the identifier of the proxy application; wherein the response data segment is generated at the proxy in response to the first data segment based in part by the proxy processing the first data segment using the proxy application; wherein the first data segment and the response data segment are TCP segments; wherein the second message conforms to the protocol for exchanging messages between the router and the proxy, and wherein the first direction value included in the second message indicates to the router in which direction on the TCP connection the response data segment is to be forwarded; based on the first direction value included in the second message, the router determining that the response data segment is to be forwarded to the server in a first direction from the client device to the server; the router forwarding the response data segment to the server based on the mapping.