ebpf-web-proxy

HTTP proxy based on eBPF rules to redirect traffic on packet level.

Reverse proxy is used to hide multiple web services with one URL domain. For example on website example.com may be you may have API service example.com/api/, frontend example.com/ and blog example.com/blog/. So you may set up a reverse proxy that will receive all requests on example.com but internally redirects them to a needed service assiciated with URL path.

Current solutions

Apache HTTPD mod_proxy is a default solution for this.
NGINX most popular reverse proxy and web server for static files focused on performance. Used by most CDNs.
HAProxy most advanced proxy for high load services.
Traefic and Caddy are reverse proxies for midle size projects with microservices.

And some small solutions:

Lighttpd mod_proxy
TinyProxy
OpenBSD relayd
BusyBox httpd may be compiled with a very basic reverse proxy. The smallest solution.

Why eBPF is needed here?

The problem is that they all work on L4 and this limits throughtput. Instead we may try to make the redirection of packets dirreclty on network level. To do that we may use eBPF rules and analyze packet. There is a research project to analyze HTTP packets: https://github.com/iovisor/bcc/tree/master/examples/networking/http_filter

But for HTTPS all packets are encrypted and we can't analyze them. To solve this we may terminate TLS with stunnel and redirect to plain http port. Also for internal communication between microservcies TLS is not needed.

PRs with implementation are wellcome ;)

About

HTTP proxy based on eBPF rules to redirect traffic on packet level

GNU General Public License v3.0