I'm running a HTTP proxy service and want to route traffic to various Layer 3 TUNs based on the contents of HTTP packets (e.g. HTTP headers).
I'm using BSD and Linux to do this but it doesn't look like either of these are capable of Layer 7 classification when making routing decisions (at least, without writing my own extensive kernel patches).
So, is it possible to make Layer 3 routing decisions based on the contents of HTTP packets in Linux or BSD?
And, if not, do any Unix based operating sytems or distributions have this capability?
For BSD i would look into
relayd(8)- its native to OpenBSD, but i believe FreeBSD has a port too. It is quite powerful and can do more than a few things (ex., proxy, load balancer, application gateway) including what you are asking.Read through man pages, particularly the 'Filter Rules' and 'Protocols' section:
Definitely jump on the openbsd 'misc' mailing list if you have issues. The community is quick, and the author is often available.
relaydis intimately connected to thepfpacket filter, which is how it is able to jointly create rules for Layer 3 and 7The problem I see here is that you have to accept the TCP connection before you get to see the http request. So even if the system could use application level data it would not have that data at the time it needs to decide where the connection needs to go.
I don't think there is much choice but to have a "reverse proxy" which terminates the TCP connection from the client an then establishes an onward TCP connection to the origin server.