HTTPProxySuite is a Go project demonstrating a full HTTP request flow using custom proxies and servers built with standard libraries.
The suite includes:
- Forward Proxy – receives client requests and forwards them to the reverse proxy.
- Reverse Proxy – receives requests from the forward proxy and forwards them to the HTTP servers.
- HTTP Servers – process requests and return responses back through the proxy chain.
This project showcases lightweight, end-to-end request handling, proxying, and server communication in Go, all without third-party frameworks.
graph TD
Client -->|HTTPS Requests| ForwardProxy[Forward Proxy]
ForwardProxy -->|Proxied Requests| ReverseProxy[Reverse Proxy]
ReverseProxy -->|Routed Requests| HTTPServer1[HTTP Server 1]
ReverseProxy -->|Routed Requests| HTTPServer2[HTTP Server 2]
HTTPServer1 -->|Responses| ReverseProxy
HTTPServer2 -->|Responses| ReverseProxy
ReverseProxy -->|Proxied Responses| ForwardProxy
ForwardProxy -->|Responses| Client
sequenceDiagram
participant Client
participant ForwardProxy as Forward Proxy <br/>Port: 6443 <br/>(TLS Server)
participant ReverseProxy as Reverse Proxy<br/>Port: 7443<br/>(TLS Server)
participant HTTPServer as HTTP Server<br/>Port: 8443<br/>(mTLS Server)
Note over Client,HTTPServer: Phase 1: Client → Forward Proxy TLS
Client->>ForwardProxy: TLS Client Hello (TLSv1.3) with CA Certificate
ForwardProxy->>Client: Server Hello + Certificate Chain
Note right of ForwardProxy: CN=server Issuer: forward-proxy Root CA SAN: 127.0.0.1
ForwardProxy->>Client: Certificate Verify + Finished
Client->>ForwardProxy: Finished
Note over Client,ForwardProxy: TLS Connection Established
Note over Client,HTTPServer: Phase 2: HTTP CONNECT Tunnel
Client->>ForwardProxy: CONNECT reverse-proxy-server:7443 HTTP/1.1, Proxy-Connection: Keep-Alive
ForwardProxy->>Client: HTTP/1.1 200 Connection Established
Note over Client,ForwardProxy: CONNECT Tunnel Established
Note over Client,HTTPServer: Phase 3: Client → Reverse Proxy TLS (through tunnel)
Client->>ReverseProxy: TLS Client Hello (TLSv1.3) via Forward Proxy tunnel
ReverseProxy->>Client: Server Hello + Certificate Chain via Forward Proxy tunnel
Note right of ReverseProxy: CN=server Issuer: reverse-proxy Root CA SAN: reverse-proxy-server
ReverseProxy->>Client: Certificate Verify + Finished via Forward Proxy tunnel
Client->>ReverseProxy: Finished via Forward Proxy tunnel
Note over Client,ReverseProxy: End-to-End TLS Established
Note over Client,HTTPServer: Phase 4: HTTP Request/Response
Client->>ReverseProxy: GET /server1 HTTP/1.1
Note over ReverseProxy,HTTPServer: Phase 5: Reverse Proxy → HTTP Server mTLS
ReverseProxy->>HTTPServer: mTLS Handshake (Client Cert Required)
HTTPServer->>ReverseProxy: Server Certificate + Client Cert Request
ReverseProxy->>HTTPServer: Client Certificate + Finished
HTTPServer->>ReverseProxy: Certificate Verify + Finished
Note over ReverseProxy,HTTPServer: mTLS Connection Established
ReverseProxy->>HTTPServer: GET /server1 HTTP/1.1 (over mTLS)
HTTPServer->>ReverseProxy: HTTP/1.1 200 OK
ReverseProxy->>Client: HTTP/1.1 200 OK, Connection: close
Note over Client,HTTPServer: Certificate Chain Verification
Note over ForwardProxy: Server Cert: CN=server CA: forward-proxy Root CA Validates: --proxy-cacert ca.crt
Note over ReverseProxy: Server Cert: CN=server CA: reverse-proxy Root CA Validates: --cacert ca.crt
Note over HTTPServer: mTLS Required Client + Server Certificates Mutual Authentication
Only the key files are included below:
.
├── http-forward-proxy/
│ ├── main.go
│ └── Dockerfile
├── http-reverse-proxy/
│ ├── main.go
│ └── Dockerfile
├── http-server/
│ ├── main.go
│ ├── index_server_1.html
│ └── index_server_2.html
|–– tls-configs
│ ├── forward-proxy
│ ├── reverse-proxy
│ └── web-server
├── generate-tls.sh
├── docker-compose.yml
└── README.md
http-forward-proxy/– contains the forward proxy server main code and Dockerfile.http-reverse-proxy/– contains the reverse proxy main code and Dockerfile.http-server/– contains the HTTP server code and key index files.docker-compose.yml– orchestrates the containers and networks.generate-tls.sh– generates tls certificates and keys under each service.tls-configs– contains generated certificates and keys.
- Docker >= 20.x
- Docker Compose >= 1.29.x
- Go >= 1.20 (for building the binaries)
chmod 755 generate-tls.sh
./generate-tls.shdocker-compose up --build -ddocker psThe reverse proxy mappings can be configured via the -map argument in the format:
<context_path>=<host>:<port>
Example in docker-compose.yml:
command: ["./reverse-proxy-server", "-host", "0.0.0.0", "-port", "7443", "-map", "/server1=http-server-1:8443,/server2=http-server-2:9443"]Server 1:
curl -v -x https://127.0.0.1:6443 --proxy-cacert /tls-configs/forward-proxy/certs/ca.crt https://reverse-proxy-server:7443/server1 --cacert /tls-configs/reverse-proxy/certs/ca.crtServer 2:
curl -v -x https://127.0.0.1:6443 --proxy-cacert /tls-configs/forward-proxy/certs/ca.crt https://reverse-proxy-server:7443/server2 --cacert /tls-configs/reverse-proxy/certs/ca.crthttp-server/index_server_1.html→ served byhttp-server-1http-server/index_server_2.html→ served byhttp-server-2
internal-net– for reverse proxy and HTTP servers.public-net– exposed network for forward proxy.
docker-compose down- Forward proxy can route requests to any reverse proxy.
- Reverse proxy mapping can be updated via
-mapargument. - HTTP servers listen on all interfaces for container communication.
Specify your license here (e.g., MIT, Apache 2.0).