Search code examples
javaspring-bootopc-uaopcmilo

Is it technically possible for an OPC UA client to tunnel requests to an OPC UA server via a Forward Proxy?


Issue

This is the OPC UA MILO client SDK used by my java program: https://github.com/eclipse/milo/blob/master/opc-ua-sdk/sdk-client/src/main/java/org/eclipse/milo/opcua/sdk/client/OpcUaClient.java

I have an OPC UA client sitting behind a Forward Proxy and wants to attempt a connection via a forward proxy to reach the OPC UA server at a TCP port. It is an OPC protocol on top of a TCP connection.

Issue here is the SDK client in the link above does not support a forward proxy connection that I could call in code to set up a tunnel for requests to reach the OPC UA server. I have a sense that we will have to move to a new client SDK.

Due to the design of the current infrastructure, any outbound request to external systems will have to be made via this forward proxy, and not a direction connection.

Intent

  1. I would like to know if it is technically possible for an OPC UA connection to be made from the client to server via a forward proxy. Of course, it is without said that the Forward Proxy would first have to allow the port by ACL configuration. However, my question is still,- Can OPC UA connections allow connections via forward proxy in the first place, because I have done research on this topic, and could not any information regarding this.

  2. If point 1 is technically possible, how can I handle this in Java code with the MILO client sdk still intact would be preferable, or point me to a java client SDK that I could use in Java code to allow for a connection to a forward proxy before tunneling the request to the OPC UA server.


Solution

  • I think it’s technically possible if you have Squid configured to act as a SOCKS5 proxy, however Milo uses the Netty library for its networking and Netty doesn’t look for the socksProxyHost and related Java system properties by default; it requires that a SOCKS handler is explicitly added to the end of a pipeline. It doesn’t look like this configuration is possible in the current version.