Multicast Proxy Server

Leave a Comment / Administration, Featured /

My new OpenSource project. A fast hybrid of Reverse Proxy and Deep Packet Inspection (DPI) written on C.
Unlike classic Reverse Proxy, it can redirect client requests to multiple backend servers behind ONE port.
The right backend server is selected on-the-fly using DPI of protocol negotiation phase. After selection MPServer acts like a classic Reverse Proxy.
In case you have only one backend server, MPServer can act (if you want it to) like a classic TCP or UDP Reverse Proxy without any DPI.
MPServer is not a classic Load Balancer, but can act as a dumb one. Client requests will be redirected to first replied backend server.
MPServer can possibly act like a SSLH multiplexer.

How it works

MPServer duplicates client requests to all backend servers. Then, it starts to filter backend servers replies, choosing the first valid reply and sending it to client. Backend servers replies are filtering out using regex-based DPI.
Usually, you only need to define such regex according to your protocol specs.
OpenVPN(TCP and UDP), SOCKS5, HTTP and L2TP/IPSec sample configs (with regex) are available in examples directory.

SOCKS5 example

Goal: Authenticate client on one of the backend servers. Filter out the rest of servers.

Client sends to MPServer SOCKS5 Auth request which looks like this (HEX):

050102 # 05 - Protocol version; 01 - Auth method count; 02 - Auth by user/pass

MPServer duplicates it and sends to all of backend servers.
Then it start to receive replies from servers. Imagine all of servers reply this:

0502 # 05 - Protocol version; 02 - Accepted auth method (user/pass)
Stage1

Which means all of servers supports this auth method and waiting for auth.

Client sends auth data:

0104757365720470617373 # 01 - Subnegotiation Version; 0475736572 - user; 0470617373 - pass

MPServer again send it to all servers and starting to receive their replies.
Imagine, first server replied this:

0100 # 01 - Subnegotiation Version; 00 - Success

Which means client was successfully authenticated.
We don’t need to wait for rest of replies. We can filter other servers out by defining the following rule in MPServer config:

[APPROVE_RULES]
auth_success ^0100
Stage1

From this time client communicates (through MPServer) with only one server and MPServer acts like a classic Reverse Proxy.

More here.

Leave a Comment

Your email address will not be published. Required fields are marked *