@@ -138,6 +138,32 @@ func initModProxy(env *command.Env, s3c *s3util.Client) (_ http.Handler, cleanup
138138// initRevProxy initializes a reverse proxy if one is enabled. If not, it
139139// returns nil, nil to indicate a proxy was not requested. Otherwise, it
140140// returns a [http.Handler] to dispatch reverse proxy requests.
141+ //
142+ // The reverse proxy runs two collaborating HTTP servers:
143+ //
144+ // - The "inner" server is the proxy itself, which checks for cached values,
145+ // forwards client requests to the remote origin (if necessary), and
146+ // updates the cache with responses. The [revproxy.Server] is a lightweight
147+ // wrapper around [net/http/httputil.ReverseProxy].
148+ //
149+ // - The "outer" server is a bridge, that intercepts client requests. The
150+ // bridge forwards plain HTTP requests directly to the inner server. For
151+ // HTTPS CONNECT requests, the bridge hijacks the client connection and
152+ // terminates TLS using a locally-signed certificate, and forwards the
153+ // decrypted client requests to the inner caching proxy.
154+ //
155+ // The outer bridge is what receives requests routed by the main HTTP endpoint;
156+ // the inner server gets all its input via the bridge:
157+ //
158+ // +---------------+ +--------+ +-------------+
159+ // | HTTP listener |--[proxy request]-->| bridge |--[HTTP]-->| cache proxy |
160+ // +---------------+ +--------+ +-------------+
161+ // | | ^
162+ // (other routes) \---[HTTPS]-(terminate TLS)--/
163+ //
164+ // To the main HTTP listener, the bridge is an [http.Handler] that serves
165+ // requests routed to it. To the inner server, the bridge is a [net.Listener],
166+ // a source of client connections (with TLS terminated).
141167func initRevProxy (env * command.Env , s3c * s3util.Client , g * taskgroup.Group ) (http.Handler , error ) {
142168 if serveFlags .RevProxy == "" {
143169 return nil , nil // OK, proxy is disabled
0 commit comments