HTTP CONNECT and HTTPS Proxy Tunnels: TLS Boundaries and Handshake Latency
Network Fundamentals
HTTP CONNECT and HTTPS Proxy Tunnels: TLS Boundaries and Handshake Latency
An RFC-based explanation of CONNECT tunnels, encrypted HTTPS payloads, and modeled first-request latency.
Network Fundamentals

HTTP CONNECT and HTTPS Proxy Tunnels: TLS Boundaries and Handshake Latency

Reading info

Level: Professional Reading time: 12 min
  • HTTP CONNECT
  • HTTPS
  • TLS 1.3
  • Python
Open knowledge map

When a client system reaches a secure HTTPS origin through an HTTP forward proxy, standard cleartext request forwarding is impossible. To preserve end-to-end TLS encryption and integrity, the proxy cannot act as a Layer 7 TLS terminator (unless explicitly configured for SSL Bumping). Instead, the client issues an HTTP CONNECT request, initiating a protocol transition. The proxy effectively demotes itself to a Layer 4 TCP byte-shoveler. Understanding the kernel-level mechanics, queueing theory, and socket-buffer management behind this transition is essential for designing high-throughput edge proxies.

1. The Mechanics of HTTP CONNECT: State Machine Transition

Under RFC 9110, CONNECT converts an HTTP connection into a raw TCP/IP transparent tunnel. In high-performance reverse proxies like Nginx or HAProxy, the event loop (e.g., epoll) processes the HTTP headers, parses the target authority, issues an asynchronous non-blocking connect() to the origin, and upon receiving the EPOLLOUT event, sends the 200 Connection Established response to the client. From this moment on, the HTTP state machine is destroyed, and the socket file descriptors (FDs) are chained together for raw binary forwarding.

Mermaid Diagram: Advanced Connection Flow


sequenceDiagram
    participant Client
    participant Proxy (Kernel/User)
    participant Origin Server
    
    Note over Client, Proxy (Kernel/User): 1. Proxy TCP Handshake & Queueing
    Client->>Proxy (Kernel/User): TCP SYN
    Proxy (Kernel/User)->>Client: TCP SYN-ACK
    
    Note over Client, Proxy (Kernel/User): 2. HTTP CONNECT & DNS
    Client->>Proxy (Kernel/User): CONNECT origin.example:443 HTTP/1.1
    Proxy (Kernel/User)->>Proxy (Kernel/User): NSS getaddrinfo() / Async DNS
    Proxy (Kernel/User)->>Origin Server: TCP SYN (Non-blocking)
    Origin Server->>Proxy (Kernel/User): TCP SYN-ACK
    Proxy (Kernel/User)->>Client: HTTP/1.1 200 Connection Established
    
    Note over Client, Origin Server: 3. Zero-Copy TLS Tunneling (splice syscall)
    Client->>Proxy (Kernel/User): TLS Client Hello (SNI)
    Proxy (Kernel/User)->>Origin Server: splice(client_fd, origin_fd)
    Origin Server->>Proxy (Kernel/User): TLS Server Hello, Cert
    Proxy (Kernel/User)->>Client: splice(origin_fd, client_fd)
    
    Note over Client, Origin Server: 4. Encrypted Application Data
    Client->>Origin Server: Encrypted AES-GCM Frames
    Origin Server->>Client: Encrypted AES-GCM Frames

2. Advanced Proxy Architecture: Zero-Copy and splice()

At massive scale, reading bytes into user-space buffers via read() and immediately writing them out via write() incurs devastating CPU context-switch overhead and memory bus saturation. Hardcore production proxies (like HAProxy) utilize the Linux splice() system call for the CONNECT tunnel.

splice() moves data between two file descriptors entirely within kernel space, provided one is a pipe. HAProxy allocates a pipe, splices the client TCP socket into the pipe, and then splices the pipe into the origin TCP socket. This “zero-copy” architecture allows an edge node to push tens of gigabits per second of TLS tunneled traffic with near-zero user-space CPU utilization.

3. Mathematical Rigor: Queueing Theory and Little’s Law

Connection latency through a proxy is governed by queueing theory. If the proxy handles a request arrival rate of (lambda) (connections per second), and the average time to establish the backend TCP connection is (W), the number of concurrent pending connections (L) waiting in the proxy’s state machine is modeled by Little’s Law:

[ L = lambda W ]

If the backend origin becomes congested, (W) spikes. Without aggressive timeout configurations or circuit breakers, (L) will exhaust the proxy’s ephemeral port range (TCP tuple exhaustion) or file descriptor limits (ulimit -n), causing a cascading failure. Engineers must model the proxy as an (M/M/c) queueing system, where (c) is the number of available worker threads or async event loops, calculating the Erlang C blocking probability to size the proxy fleet adequately.

4. Advanced Tooling: eBPF Traffic Interception and Metrics

To measure true CONNECT latency decoupled from the TLS handshake, SREs employ XDP (eXpress Data Path) or eBPF kprobes on the kernel’s tcp_v4_connect and tcp_rcv_state_process functions.

#include <bcc/proto.h>
#include <net/sock.h>

// Trace tcp_connect to track proxy-to-origin latency
int kprobe__tcp_connect(struct pt_regs *ctx, struct sock *sk) {
    u32 pid = bpf_get_current_pid_tgid();
    u64 ts = bpf_ktime_get_ns();
    // Store socket pointer and timestamp
    bpf_map_update_elem(&connect_start, &sk, &ts, BPF_ANY);
    return 0;
}

By mapping the kernel socket structs back to the HAProxy PIDs, you can generate histograms of kernel-level TCP RTTs, bypassing any user-space scheduling jitter.

5. Post-Mortem: SSL Bumping and Egress Policies

Corporate NGFWs (Next-Generation Firewalls) often perform “SSL Bumping.” The firewall intercepts the CONNECT, acts as the origin, terminates the TLS session, inspects the plaintext HTTP payload, and re-encrypts it using a dynamically generated certificate signed by a corporate Root CA. If the client lacks this Root CA in its trust store, the TLS handshake fails with X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN.

Furthermore, secure egress architectures must enforce strictly whitelisted CONNECT ACLs. Unrestricted CONNECT methods are notoriously exploited by attackers to bounce traffic via the proxy to internal VPC endpoints (e.g., CONNECT 10.0.0.5:22), weaponizing the proxy as an internal network pivot.

References

Internal links

Related tutorials

Review foundation Forward Proxy vs Reverse Proxy: Connection Paths, Trust Boundaries, and Latency

A reproducible guide to forward proxies, reverse proxies, tunnels, TLS boundaries, and latency segments.

 Continue next SOCKS5 Proxy Explained: Protocol Bytes, DNS Resolution Boundaries, and Leakage Risk

Decode safe SOCKS5 CONNECT bytes and compare local-DNS and proxy-side hostname resolution boundaries.

 Resources Resource Library

Download companion code, datasets, diagrams, model files, and notes.

 Projects Projects

Browse site-building, algorithm writing, and long-term project structure.

 Knowledge map Knowledge Map

See how this article connects to projects, resources, and learning routes.

Search questions

FAQ

Who is this article for?

This article is for readers who want a professional-level guide to HTTP CONNECT and HTTPS Proxy Tunnels: TLS Boundaries and Handshake Latency. It takes about 12 min and focuses on HTTP CONNECT, HTTPS, TLS 1.3, Python.

What should I read next?

The recommended next step is SOCKS5 Proxy Explained: Protocol Bytes, DNS Resolution Boundaries, and Leakage Risk, so the article connects into a longer learning route instead of ending as an isolated note.

Does this article include runnable code or companion resources?

Yes. Use the run notes, resource cards, and download links on the page to reproduce the example or inspect the companion files.

How does this article fit into the larger site?

It is connected to the article context block, learning routes, resources, and project timeline so readers can move from concept to implementation.

Article context

Network Fundamentals

A reproducible route through DNS, TCP, TLS, HTTP/3, proxy tunnels, load balancing, and shared caches with code and figures.

Level: Professional Reading time: 12 min
  • HTTP CONNECT
  • HTTPS
  • TLS 1.3
  • Python

Your next step

Continue: SOCKS5 Proxy Explained: Protocol Bytes, DNS Resolution Boundaries, and Leakage Risk
Review the foundation Open resource
Other language version HTTP CONNECT 与 HTTPS 代理隧道:TLS 边界和握手时延
Share summary HTTP CONNECT and HTTPS Proxy Tunnels: TLS Boundaries and Handshake Latency

An RFC-based explanation of CONNECT tunnels, encrypted HTTPS payloads, and modeled first-request latency.

Download share card Open share center

Companion resources

Leave a Reply

Project timeline

Published posts

  1. DNS Resolution Explained: Build a TTL Cache and Packet Parser in Python A runnable DNS guide covering resolution paths, response headers, TTL cache latency, and deterministic Python/C experiments.
  2. CIDR, Longest Prefix Match, and MTU: Calculate IP Routing Step by Step Calculate CIDR ranges, longest-prefix route choice, and MTU/MSS payload segmentation with runnable Python and C examples.
  3. TCP Reliability and Congestion Window: A Runnable Sequence Number Experiment Track TCP sequence numbers, cumulative ACKs, loss, retransmission, and congestion-window changes with safe local experiments.
  4. HTTPS and TLS 1.3 Handshake: Keys, Certificates, and RTT in Practice Understand TLS 1.3 message flights, certificate authentication, ephemeral key agreement, and handshake latency with a safe teaching model.
  5. HTTP/2, HTTP/3, and CDN Caching: Read Page Speed from a Waterfall A deterministic browser-waterfall model for HTTP/2, HTTP/3, QUIC streams, and CDN cache hits or misses.
  6. Forward Proxy vs Reverse Proxy: Connection Paths, Trust Boundaries, and Latency A reproducible guide to forward proxies, reverse proxies, tunnels, TLS boundaries, and latency segments.
  7. HTTP CONNECT and HTTPS Proxy Tunnels: TLS Boundaries and Handshake Latency An RFC-based explanation of CONNECT tunnels, encrypted HTTPS payloads, and modeled first-request latency.
  8. SOCKS5 Proxy Explained: Protocol Bytes, DNS Resolution Boundaries, and Leakage Risk Decode safe SOCKS5 CONNECT bytes and compare local-DNS and proxy-side hostname resolution boundaries.
  9. Reverse Proxy Load Balancing: Queues, Health Checks, and a Reproducible Scheduler Compare round robin and load-aware queue selection while reasoning about health checks and retry boundaries.
  10. Proxy Cache Revalidation: Cache-Control, ETag, and Observable Correctness Use an RFC 9111 shared-cache model to calculate MISS, HIT, and 304 revalidation latency and correctness boundaries.

Published resources

  1. Network Fundamentals Lab README Setup, no-privilege safety boundary, ten Python experiments, and three C examples.
  2. Network fundamentals full lab bundle Bundles Python/C source, fixed scenarios, ten result CSVs, and protocol/proxy figures.
  3. DNS TTL results CSV HIT/MISS state, expiry, and latency for four fixed lookups.
  4. CIDR and MTU results CSV Longest-prefix route and 3600-byte payload segmentation results.
  5. TCP cwnd events CSV Per-round ACK, window, and deterministic retransmission events.
  6. TLS 1.3 flight results CSV Message direction, timing, and teaching shared value in a fixed RTT model.
  7. HTTP/CDN waterfall results CSV Phase timing for HTTP/2 and HTTP/3 in cold and warm cache models.
  8. Proxy path latency results CSV Phase timing for direct access, forward-proxy tunneling, and reverse-proxy cache paths.
  9. CONNECT/TLS timeline CSV Records CONNECT authority, tunnel establishment, and the encrypted HTTPS-request boundary.
  10. SOCKS5 DNS boundary CSV Stores ATYP, destination bytes, request length, and modeled local DNS counts.
  11. Proxy load-balancing queue CSV Compares backend selection and queue waiting for round robin and least queue.
  12. Proxy cache revalidation CSV Records MISS, HIT, 304 revalidation, object age, and response latency.
  13. Network request path visualizer Adjust TTL, prefixes, loss, handshake RTT, and cache paths in the browser.
  14. Network fundamentals topic share card A 1200x630 SVG card for the DNS, TLS, HTTP/3, proxy tunnel, and caching topic hub.

Next notes

  1. Add IPv6 and QUIC observation notes
  2. Review caching and protocol benefits with real-user metrics
Scroll down