A forward proxy module for CONNECT request handling

Overview

name

This module provides support for the CONNECT method request. This method is mainly used to tunnel SSL requests through proxy servers.

Table of Contents

Example

Configuration Example

 server {
     listen                         3128;

     # dns resolver used by forward proxying
     resolver                       8.8.8.8;

     # forward proxy for CONNECT request
     proxy_connect;
     proxy_connect_allow            443 563;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;

     # forward proxy for non-CONNECT request
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host;
     }
 }

Example for curl

With above configuration, you can get any https website via HTTP CONNECT tunnel. A simple test with command curl is as following:

$ curl https://github.com/ -v -x 127.0.0.1:3128
*   Trying 127.0.0.1...                                           -.
* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)                | curl creates TCP connection with nginx (with proxy_connect module).
* Establish HTTP proxy tunnel to github.com:443                   -'
> CONNECT github.com:443 HTTP/1.1                                 -.
> Host: github.com:443                                         (1) | curl sends CONNECT request to create tunnel.
> User-Agent: curl/7.43.0                                          |
> Proxy-Connection: Keep-Alive                                    -'
>
< HTTP/1.0 200 Connection Established                             .- nginx replies 200 that tunnel is established.
< Proxy-agent: nginx                                           (2)|  (The client is now being proxied to the remote host. Any data sent
<                                                                 '-  to nginx is now forwarded, unmodified, to the remote host)

* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  -.
* Server certificate: github.com                                   |
* Server certificate: DigiCert SHA2 Extended Validation Server CA  | curl sends "https://github.com" request via tunnel,
* Server certificate: DigiCert High Assurance EV Root CA           | proxy_connect module will proxy data to remote host (github.com).
> GET / HTTP/1.1                                                   |
> Host: github.com                                             (3) |
> User-Agent: curl/7.43.0                                          |
> Accept: */*                                                     -'
>
< HTTP/1.1 200 OK                                                 .-
< Date: Fri, 11 Aug 2017 04:13:57 GMT                             |
< Content-Type: text/html; charset=utf-8                          |  Any data received from remote host will be sent to client
< Transfer-Encoding: chunked                                      |  by proxy_connect module.
< Server: GitHub.com                                           (4)|
< Status: 200 OK                                                  |
< Cache-Control: no-cache                                         |
< Vary: X-PJAX                                                    |
...                                                               |
... <other response headers & response body> ...                  |
...                                                               '-

The sequence diagram of above example is as following:

  curl                     nginx (proxy_connect)            github.com
    |                             |                          |
(1) |-- CONNECT github.com:443 -->|                          |
    |                             |                          |
    |                             |----[ TCP connection ]--->|
    |                             |                          |
(2) |<- HTTP/1.1 200           ---|                          |
    |   Connection Established    |                          |
    |                             |                          |
    |                                                        |
    ========= CONNECT tunnel has been established. ===========
    |                                                        |
    |                             |                          |
    |                             |                          |
    |   [ SSL stream       ]      |                          |
(3) |---[ GET / HTTP/1.1   ]----->|   [ SSL stream       ]   |
    |   [ Host: github.com ]      |---[ GET / HTTP/1.1   ]-->.
    |                             |   [ Host: github.com ]   |
    |                             |                          |
    |                             |                          |
    |                             |                          |
    |                             |   [ SSL stream       ]   |
    |   [ SSL stream       ]      |<--[ HTTP/1.1 200 OK  ]---'
(4) |<--[ HTTP/1.1 200 OK  ]------|   [ < html page >    ]   |
    |   [ < html page >    ]      |                          |
    |                             |                          |

Example for browser

You can configure your browser to use this nginx as PROXY server.

  • Google Chrome HTTPS PROXY SETTING: guide & config for how to configure this module working under SSL layer.

Example for Basic Authentication

We can do access control on CONNECT request using nginx auth basic module.
See this guide for more details.

Install

Select patch

  • Select right patch for building:
nginx version enable REWRITE phase patch
1.4.x ~ 1.12.x NO proxy_connect.patch
1.4.x ~ 1.12.x YES proxy_connect_rewrite.patch
1.13.x ~ 1.14.x NO proxy_connect_1014.patch
1.13.x ~ 1.14.x YES proxy_connect_rewrite_1014.patch
1.15.2 YES proxy_connect_rewrite_1015.patch
1.15.4 ~ 1.16.x YES proxy_connect_rewrite_101504.patch
1.17.x ~ 1.18.0 YES proxy_connect_rewrite_1018.patch
1.19.x ~ 1.21.0 YES proxy_connect_rewrite_1018.patch
1.21.1 YES proxy_connect_rewrite_102101.patch
OpenResty version enable REWRITE phase patch
1.13.6 NO proxy_connect_1014.patch
1.13.6 YES proxy_connect_rewrite_1014.patch
1.15.8 YES proxy_connect_rewrite_101504.patch
1.17.8 YES proxy_connect_rewrite_1018.patch
1.19.3 YES proxy_connect_rewrite_1018.patch
1.21.1 YES proxy_connect_rewrite_102101.patch
  • proxy_connect_<VERSION>.patch disables nginx REWRITE phase for CONNECT request by default, which means if, set, rewrite_by_lua and other REWRITE phase directives cannot be used.
  • proxy_connect_rewrite_<VERSION>.patch enables these REWRITE phase directives.

Build nginx

  • Build nginx with this module from source:
$ wget http://nginx.org/download/nginx-1.9.2.tar.gz
$ tar -xzvf nginx-1.9.2.tar.gz
$ cd nginx-1.9.2/
$ patch -p1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect.patch
$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module
$ make && make install

Build as a dynamic module

  • Starting from nginx 1.9.11, you can also compile this module as a dynamic module, by using the --add-dynamic-module=PATH option instead of --add-module=PATH on the ./configure command line.
$ $ wget http://nginx.org/download/nginx-1.9.12.tar.gz
$ tar -xzvf nginx-1.9.12.tar.gz
$ cd nginx-1.9.12/
$ patch -p1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect.patch
$ ./configure --add-dynamic-module=/path/to/ngx_http_proxy_connect_module
$ make && make install
  • And then you can explicitly load the module in your nginx.conf via the load_module directive, for example,
load_module /path/to/modules/ngx_http_proxy_connect_module.so;
  • Note that the ngx_http_proxy_connect_module.so file MUST be loaded by nginx binary that is compiled with the .so file at the same time.

Build OpenResty

  • Build OpenResty with this module from source:
$ wget https://openresty.org/download/openresty-1.19.3.1.tar.gz
$ tar -zxvf openresty-1.19.3.1.tar.gz
$ cd openresty-1.19.3.1
$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module
$ patch -d build/nginx-1.19.3/ -p 1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_101504.patch
$ make && make install

Test Suite

  • To run the whole test suite:
$ hg clone http://hg.nginx.org/nginx-tests/
$ export TEST_NGINX_BINARY=/path/to/nginx/binary
$ prove -v -I /path/to/nginx-tests/lib /path/to/ngx_http_proxy_connect_module/t/

Error Log

This module logs its own error message beginning with "proxy_connect:" string.
Some typical error logs are shown as following:

  • The proxy_connect module tries to establish tunnel connection with backend server, but the TCP connection timeout occurs.
2019/08/07 17:27:20 [error] 19257#0: *1 proxy_connect: upstream connect timed out (peer:216.58.200.4:443) while connecting to upstream, client: 127.0.0.1, server: , request: "CONNECT www.google.com:443 HTTP/1.1", host: "www.google.com:443"

Directive

proxy_connect

Syntax: proxy_connect
Default: none
Context: server

Enable "CONNECT" HTTP method support.

proxy_connect_allow

Syntax: proxy_connect_allow all | [port ...] | [port-range ...]
Default: 443 563
Context: server

This directive specifies a list of port numbers or ranges to which the proxy CONNECT method may connect.
By default, only the default https port (443) and the default snews port (563) are enabled.
Using this directive will override this default and allow connections to the listed ports only.

The value all will allow all ports to proxy.

The value port will allow specified port to proxy.

The value port-range will allow specified range of port to proxy, for example:

proxy_connect_allow 1000-2000 3000-4000; # allow range of port from 1000 to 2000, from 3000 to 4000.

proxy_connect_connect_timeout

Syntax: proxy_connect_connect_timeout time
Default: none
Context: server

Defines a timeout for establishing a connection with a proxied server.

proxy_connect_read_timeout

Syntax: proxy_connect_read_timeout time
Default: 60s
Context: server

Defines a timeout for reading a response from the proxied server.
The timeout is set only between two successive read operations, not for the transmission of the whole response.
If the proxied server does not transmit anything within this time, the connection is closed.

proxy_connect_send_timeout

Syntax: proxy_connect_send_timeout time
Default: 60s
Context: server

Sets a timeout for transmitting a request to the proxied server.
The timeout is set only between two successive write operations, not for the transmission of the whole request.
If the proxied server does not receive anything within this time, the connection is closed.

proxy_connect_address

Syntax: proxy_connect_address address | off
Default: none
Context: server

Specifiy an IP address of the proxied server. The address can contain variables.
The special value off is equal to none, which uses the IP address resolved from host name of CONNECT request line.

NOTE: If using set $<nginx variable> and proxy_connect_address $<nginx variable> together, you should use proxy_connect_rewrite.patch instead, see Install for more details.

proxy_connect_bind

Syntax: proxy_connect_bind address [transparent] | off
Default: none
Context: server

Makes outgoing connections to a proxied server originate from the specified local IP address with an optional port.
Parameter value can contain variables. The special value off is equal to none, which allows the system to auto-assign the local IP address and port.

The transparent parameter allows outgoing connections to a proxied server originate from a non-local IP address, for example, from a real IP address of a client:

proxy_connect_bind $remote_addr transparent;

In order for this parameter to work, it is usually necessary to run nginx worker processes with the superuser privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server.

NOTE: If using set $<nginx variable> and proxy_connect_bind $<nginx variable> together, you should use proxy_connect_rewrite.patch instead, see Install for more details.

proxy_connect_response

Syntax: proxy_connect_response CONNECT response
Default: HTTP/1.1 200 Connection Established\r\nProxy-agent: nginx\r\n\r\n
Context: server

Set the response of CONNECT request.

Note that it is only used for CONNECT request, it cannot modify the data flow over CONNECT tunnel.

For example:

proxy_connect_response "HTTP/1.1 200 Connection Established\r\nProxy-agent: nginx\r\nX-Proxy-Connected-Addr: $connect_addr\r\n\r\n";

The curl command test case with above config is as following:

$ curl https://github.com -sv -x localhost:3128
* Connected to localhost (127.0.0.1) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to github.com:443
> CONNECT github.com:443 HTTP/1.1
> Host: github.com:443
> User-Agent: curl/7.64.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established            --.
< Proxy-agent: nginx                               | custom CONNECT response
< X-Proxy-Connected-Addr: 13.229.188.59:443      --'
...

Variables

$connect_host

host name from CONNECT request line.

$connect_port

port from CONNECT request line.

$connect_addr

IP address and port of the remote host, e.g. "192.168.1.5:12345". IP address is resolved from host name of CONNECT request line.

$proxy_connect_connect_timeout

Get or set timeout of proxy_connect_connect_timeout directive.

For example:

# Set default value

proxy_connect_connect_timeout   10s;
proxy_connect_read_timeout      10s;
proxy_connect_send_timeout      10s;

# Overlap default value

if ($host = "test.com") {
    set $proxy_connect_connect_timeout  "10ms";
    set $proxy_connect_read_timeout     "10ms";
    set $proxy_connect_send_timeout     "10ms";
}

$proxy_connect_read_timeout

Get or set a timeout of proxy_connect_read_timeout directive.

$proxy_connect_send_timeout

Get or set a timeout of proxy_connect_send_timeout directive.

$proxy_connect_resolve_time

Keeps time spent on name resolving; the time is kept in seconds with millisecond resolution.

  • Value of "" means this module does not work on this request.
  • Value of "-" means name resolving failed.

$proxy_connect_connect_time

Keeps time spent on establishing a connection with the upstream server; the time is kept in seconds with millisecond resolution.

  • Value of "" means this module does not work on this request.
  • Value of "-" means name resolving or connecting failed.

$proxy_connect_response

Get or set the response of CONNECT request.
The default response of CONNECT request is "HTTP/1.1 200 Connection Established\r\nProxy-agent: nginx\r\n\r\n".

Note that it is only used for CONNECT request, it cannot modify the data flow over CONNECT tunnel.

For example:

# modify default Proxy-agent header
set $proxy_connect_response "HTTP/1.1 200\r\nProxy-agent: nginx/1.19\r\n\r\n";

The variable value does not support nginx variables. You can use lua-nginx-module to construct string that contains nginx variable. For example:

# The CONNECT response may be "HTTP/1.1 200\r\nProxy-agent: nginx/1.19.6\r\n\r\n"

rewrite_by_lua '
    ngx.var.proxy_connect_response =
      string.format("HTTP/1.1 200\\r\\nProxy-agent: nginx/%s\\r\\n\\r\\n", ngx.var.nginx_version)
';

Also note that set or rewrite_by_lua* directive is run during the REWRITE phase, which is ahead of dns resolving phase. It cannot get right value of some variables, for example, $connect_addr value is nil. In such case, you should use proxy_connect_response directive instead.

Compatibility

Nginx Compatibility

The latest module is compatible with the following versions of nginx:

  • 1.19.6 (mainline version of 1.19.x ~ 1.20.x)
  • 1.18.0 (stable version of 1.18.x)
  • 1.16.1 (stable version of 1.16.x)
  • 1.14.2 (stable version of 1.14.x)
  • 1.12.1 (stable version of 1.12.x)
  • 1.10.3 (stable version of 1.10.x)
  • 1.8.1 (stable version of 1.8.x)
  • 1.6.3 (stable version of 1.6.x)
  • 1.4.7 (stable version of 1.4.x)

OpenResty Compatibility

The latest module is compatible with the following versions of OpenResty:

  • 1.13.6 (version: 1.13.6.2)
  • 1.15.8 (version: 1.15.8.1)
  • 1.17.8 (version: 1.17.8.2)
  • 1.19.3 (version: 1.19.3.1)

Tengine Compatibility

This module has been integrated into Tengine 2.3.0.

FAQ

See FAQ page.

Known Issues

  • In HTTP/2, the CONNECT method is not supported. It only supports the CONNECT method request in HTTP/1.x and HTTPS.

See Also

Author

LICENSE

See LICENSE for details.

Issues
  • LUA with CONNECT requests

    LUA with CONNECT requests

    Your example shows location/ for non connect requests but how would I define a location for a connect request ? I wanted to parse out the POST parameters of the connect request with lua and don't know how to define a location to accomplish this.

    enhancement 
    opened by bytesploit 25
  • Caching proxied requests? // make nginx proxy_cache works as backend server

    Caching proxied requests? // make nginx proxy_cache works as backend server

    Would it be possible to cache proxy_connect responses in Nginx, using proxy_cache for example? Based on my limited understanding, it seems like this module tunnels directly to the destination and the proxied request is not handled by a normal Nginx location block, so the proxy_cache setting does not apply.

    enhancement 
    opened by concreted 20
  • Is it possible to use FQDN or variable as target for `proxy_connect_address`

    Is it possible to use FQDN or variable as target for `proxy_connect_address`

    First - Thank you for this fork, it's been a life saver for my use-case.

    I have a need to define my next proxy hop in proxy_connect_address by docker service name / FQDN. Is this supported? The service name does resolve within ngx, but I cannot get proxy_connect_address to make use of it.

    In this topology App, ngx_connect, ngx_reverse are all within swarm. App <CONNECT> ngx_connect <HTTPS> ngx_reverse(ssl/cache)<HTTPS Internet> Target

    Using IP address for proxy_connect_address works end-to-end. As both proxies are within swarm, the IP address for ngx_reverse may change on start, and certainly as others deploy across their environments.

    proxy_connect_address 10.10.10.10:8080 ;   Working
    #proxy_connect_address nginx_reverse:8080; # Fails
    #proxy_connect_address caching_reverse_nginx; # Fails
    
    worker_processes  1;
    events {
        worker_connections  1024;
    }
    
    http {
        error_log /etc/nginx/error_log.log warn;
        client_max_body_size 20m;
    
        resolver 127.0.0.11 ipv6=off;
    
        upstream caching_reverse_nginx {
            server nginx_reverse:8080;      # The next hop - a Reverse proxy
        }
    
        server {
            listen                         3128;
    
            # dns resolver used by forward proxying
            resolver                       127.0.0.11 ipv6=off;
    
            # forward proxy for CONNECT request
            proxy_connect;
            proxy_connect_allow            443 3443;
            proxy_connect_connect_timeout  10s;
            proxy_connect_read_timeout     10s;
            proxy_connect_send_timeout     10s;
            proxy_connect_address 10.10.10.10:8080 ; Works
            #proxy_connect_address nginx_reverse:8080; # Fails
            #proxy_connect_address caching_reverse_nginx; # Fails
    
            # forward proxy for non-CONNECT request
            location / {
                proxy_pass  https://caching_reverse_nginx ;
                proxy_set_header Host $http_host;
             }
        }
    }
    
    question 
    opened by creslinux 17
  • proxy_connect: connection error while connecting to upstream

    proxy_connect: connection error while connecting to upstream

    nginx-1.17.7 proxy_connect_rewrite_101504.patch

    error_log: 2020/01/12 17:47:32 [crit] 47561#47561: *157 connect() to [240e:83:205:59:0:ff:b09b:159e]:443 failed (99: Cannot assign requested address) while connecting to upstream, client: 172.16.18.181, server: , request: "CONNECT www.baidu.com:443 HTTP/1.1", host: "www.baidu.com:443" 2020/01/12 17:47:32 [error] 47561#47561: *157 proxy_connect: connection error while connecting to upstream, client: 172.16.18.181, server: , request: "CONNECT www.baidu.com:443 HTTP/1.1", host: "www.baidu.com:443"

    proxy.conf server { listen 8090; resolver 180.76.76.76; resolver_timeout 5s; proxy_connect; proxy_connect_allow 443; proxy_connect_connect_timeout 10s; proxy_connect_read_timeout 10s; proxy_connect_send_timeout 10s; location / { proxy_pass $scheme://$host$request_uri; proxy_set_header Host $host; proxy_buffers 256 4k; proxy_max_temp_file_size 0; proxy_connect_timeout 30; } access_log /var/log/nginx/proxy_access.log main; error_log /var/log/nginx/proxy_error.log; } Access on another machine [[email protected] ~]# curl https://www.baidu.com curl: (56) Received HTTP code 502 from proxy after CONNECT

    Sometimes normal, sometimes 502

    opened by babyshen 16
  • Connection timed out errors

    Connection timed out errors

    I'm getting:

    2019/01/17 21:38:32 [error] 4213#4213: *12683 upstream timed out (110: Connection timed out) while connecting to upstream(proxy_connect), client: 192.168.0.138, server: , request: "CONNECT registry.npmjs.org:443 HTTP/1.1", host: "registry.npmjs.org"
    

    When trying to do an npm install through the proxy. What happens is, I will get may a hundred or so successful upstream connections, and then this error will start to appear and npm will never recover.

    Both my systems are on AWS EC2. My nginx.conf file looks like this:

    worker_processes 1;
    
    error_log /var/log/nginx/error.log info;
    
    pid /run/nginx.pid;
    
    events {
      worker_connections 1024;
    }
    
    http {
      include mime.types;
      default_type application/octet-stream;
      sendfile on;
      keepalive_timeout 65;
    
      server {
        listen 3128;
        resolver 127.0.0.53 ipv6=off;
        resolver_timeout 30s;
    
        # Forward proxy for CONNECT requests
        proxy_connect;
        proxy_connect_allow 443;
        proxy_connect_connect_timeout 30s;
        proxy_connect_read_timeout 30s;
        proxy_connect_send_timeout 30s;
    
        # Forward proxy for non-CONNECT request
        location / {
          proxy_pass http://$host;
          proxy_set_header Host $host;
        }
      }
    }
    

    I found I had to add the ipv6=off or the I'd get this error almost constantly. Apparently there is a race condition with the DNS server sometimes returning an IPv6 record before the IPv4 one.

    TODO 
    opened by jlyonsmith 16
  • Is it possible to support verification of client certificates?

    Is it possible to support verification of client certificates?

    if add a new param to control whether check $ssl_client_verify, would be helpful authentication, such as proxy_connect_ssl_client_verify on/off; [default off]

    if proxy_connect_ssl_client_verify on then check ssl_client_verify for each request, if failed, return 400, if successed, authenticated!

    I think this function would be very helpful, thanks for considering.

    question 
    opened by bigboyq 15
  • SSH Proxy

    SSH Proxy

    I want to proxy SSH connections on my server, port 443 to port 22. The reason is that sometimes the port 22 is not available.

    The nginx conf is like this:

    server{
        listen 443;
        server_name  ssh.mydomain;
    
        proxy_connect;
        proxy_connect_allow  all;
        proxy_connect_connect_timeout  15s;
        proxy_connect_read_timeout     30s;
        proxy_connect_send_timeout     30s;
        proxy_connect_address 127.0.0.1:22;
    
        # location / {
        #     proxy_pass http://127.0.0.1:22;
        # }
    
    }
    

    But I always get "The proxy server rejected connection request: Connection aborted." in Xshell. Any idea?

    opened by yunge 12
  • nginx: [emerg] unknown directive

    nginx: [emerg] unknown directive "proxy_connect" in

    0. Before Your ASK

    1. Try to find an answer by reading a FAQ.

    Ⅰ. Issue Description

    Ⅱ. Describe what happened

    Ⅲ. Describe what you expected to happen

    Ⅳ. How to reproduce it (as minimally and precisely as possible)

    Ⅴ. Anything else we need to know?

    1. If applicable, add nginx debug log.

    Ⅵ. Environment:

    1. Tengine/Nginx/OpenResty version (use sbin/nginx -v):
    2. Which patch do you use?
    opened by dlbin 10
  • unexpected requests in log

    unexpected requests in log

    Hi! This is part of access.log 85.97.129.80 - - [21/Sep/2018:19:03:35 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 116.212.150.49 - - [21/Sep/2018:20:41:54 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" 60.191.38.78 - - [21/Sep/2018:20:45:01 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0" 79.120.133.202 - - [21/Sep/2018:20:53:26 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" 46.153.21.60 - - [21/Sep/2018:21:27:10 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"

    I have never sent a request from these ips. And,I set auth_basic_user_file, But these requests still exist.

    opened by PaulOnion 8
  • ERROR: kevent() reported that connect() failed

    ERROR: kevent() reported that connect() failed

    • original problem: https://github.com/chobits/ngx_http_proxy_connect_module/issues/55#issuecomment-410586972, https://github.com/chobits/ngx_http_proxy_connect_module/issues/55#issuecomment-412013564, https://github.com/chobits/ngx_http_proxy_connect_module/issues/55#issuecomment-412016211

    • from @wxy8435 comment

    内网重新测试下,

    userdeMacBook-Air:~ user$ curl https://www.baidu.com/ -v -x localhost:8888 -o index.html --progress-bar -k
    *   Trying ::1...
    * TCP_NODELAY set
    * Connection failed
    * connect to ::1 port 8888 failed: Connection refused
    *   Trying fe80::1...
    * TCP_NODELAY set
    * Connection failed
    * connect to fe80::1 port 8888 failed: Connection refused
    *   Trying 127.0.0.1...
    * TCP_NODELAY set
    * Connected to localhost (127.0.0.1) port 8888 (#0)
    * allocate connect buffer!
    * Establish HTTP proxy tunnel to www.baidu.com:443
    > CONNECT www.baidu.com:443 HTTP/1.1
    > Host: www.baidu.com:443
    > User-Agent: curl/7.61.0
    > Proxy-Connection: Keep-Alive
    >
    < HTTP/1.1 200 Connection Established
    < Proxy-agent: nginx
    <
    * Proxy replied 200 to CONNECT request
    * CONNECT phase completed!
    * ALPN, offering http/1.1
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /usr/local/etc/openssl/cert.pem
      CApath: /usr/local/etc/openssl/certs
    * TLSv1.2 (OUT), TLS header, Certificate Status (22):
    } [5 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
    * CONNECT phase completed!
    * CONNECT phase completed!
    * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    * Closing connection 0
    
    curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    

    nginx日志没有明显错误。

    2018/08/10 16:29:24 [debug] 20388#0: accept on 0.0.0.0:8888, ready: 1
    2018/08/10 16:29:24 [debug] 20389#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20389#0: kevent: 10: ft:-1 fl:0005 ff:00000000 d:1 ud:00007FAD24816C00
    2018/08/10 16:29:24 [debug] 20389#0: accept on 0.0.0.0:8888, ready: 1
    2018/08/10 16:29:24 [debug] 20388#0: posix_memalign: 00007FAD23F00160:512 @16
    2018/08/10 16:29:24 [debug] 20389#0: accept() not ready (35: Resource temporarily unavailable)
    2018/08/10 16:29:24 [debug] 20388#0: *58 accept: 127.0.0.1:59395 fd:4
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer add: 4: 60000:22039878
    2018/08/10 16:29:24 [debug] 20388#0: *58 reusable connection: 1
    2018/08/10 16:29:24 [debug] 20388#0: *58 kevent set event: 4: ft:-1 fl:0025
    2018/08/10 16:29:24 [debug] 20388#0: timer delta: 3266
    2018/08/10 16:29:24 [debug] 20388#0: worker cycle
    2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 60000, changes: 1
    2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20388#0: kevent: 4: ft:-1 fl:0025 ff:00000000 d:118 ud:00007FAD25012AD0
    2018/08/10 16:29:24 [debug] 20388#0: *58 http wait request handler
    2018/08/10 16:29:24 [debug] 20388#0: *58 malloc: 00007FAD25004000:1024
    2018/08/10 16:29:24 [debug] 20388#0: *58 recv: eof:0, avail:118, err:0
    2018/08/10 16:29:24 [debug] 20388#0: *58 recv: fd:4 118 of 1024
    2018/08/10 16:29:24 [debug] 20388#0: *58 reusable connection: 0
    2018/08/10 16:29:24 [debug] 20388#0: *58 posix_memalign: 00007FAD25004400:4096 @16
    2018/08/10 16:29:24 [debug] 20388#0: *58 http process request line
    2018/08/10 16:29:24 [debug] 20388#0: *58 http request line: "CONNECT www.baidu.com:443 HTTP/1.1"
    2018/08/10 16:29:24 [debug] 20388#0: *58 http uri: ""
    2018/08/10 16:29:24 [debug] 20388#0: *58 http args: ""
    2018/08/10 16:29:24 [debug] 20388#0: *58 http exten: ""
    2018/08/10 16:29:24 [debug] 20388#0: *58 posix_memalign: 00007FAD25005400:4096 @16
    2018/08/10 16:29:24 [debug] 20388#0: *58 http process request header line
    2018/08/10 16:29:24 [debug] 20388#0: *58 http header: "Host: www.baidu.com:443"
    2018/08/10 16:29:24 [debug] 20388#0: *58 http header: "User-Agent: curl/7.61.0"
    2018/08/10 16:29:24 [debug] 20388#0: *58 http header: "Proxy-Connection: Keep-Alive"
    2018/08/10 16:29:24 [debug] 20388#0: *58 http header done
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer del: 4: 22039878
    2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 0
    2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 1
    2018/08/10 16:29:24 [debug] 20388#0: *58 rewrite phase: 2
    2018/08/10 16:29:24 [debug] 20388#0: *58 rewrite phase: 4
    2018/08/10 16:29:24 [debug] 20388#0: *58 post rewrite phase: 5
    2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 6
    2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 7
    2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 8
    2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 9
    2018/08/10 16:29:24 [debug] 20388#0: *58 access phase: 10
    2018/08/10 16:29:24 [debug] 20388#0: *58 access phase: 11
    2018/08/10 16:29:24 [debug] 20388#0: *58 access phase: 12
    2018/08/10 16:29:24 [debug] 20388#0: *58 post access phase: 13
    2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 14
    2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 15
    2018/08/10 16:29:24 [debug] 20388#0: *58 connect network address given by proxy_connect_address
    2018/08/10 16:29:24 [debug] 20388#0: *58 stream socket 8
    2018/08/10 16:29:24 [debug] 20388#0: *58 connect to 10.243.184.40:8081, fd:8 #59
    2018/08/10 16:29:24 [debug] 20387#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20387#0: kevent: 10: ft:-1 fl:0005 ff:00000000 d:1 ud:00007FAD25012A00
    2018/08/10 16:29:24 [debug] 20387#0: accept on 0.0.0.0:8888, ready: 1
    2018/08/10 16:29:24 [debug] 20387#0: accept() not ready (35: Resource temporarily unavailable)
    2018/08/10 16:29:24 [debug] 20387#0: timer delta: 3266
    2018/08/10 16:29:24 [debug] 20387#0: worker cycle
    2018/08/10 16:29:24 [debug] 20387#0: kevent timer: -1, changes: 0
    2018/08/10 16:29:24 [debug] 20390#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20388#0: *58 kevent set event: 8: ft:-1 fl:0025
    2018/08/10 16:29:24 [debug] 20390#0: kevent: 10: ft:-1 fl:0005 ff:00000000 d:1 ud:00007FAD25012A00
    2018/08/10 16:29:24 [debug] 20389#0: timer delta: 3266
    2018/08/10 16:29:24 [debug] 20390#0: accept on 0.0.0.0:8888, ready: 1
    2018/08/10 16:29:24 [debug] 20391#0: accept on 0.0.0.0:8888, ready: 1
    2018/08/10 16:29:24 [debug] 20390#0: accept() not ready (35: Resource temporarily unavailable)
    2018/08/10 16:29:24 [debug] 20390#0: timer delta: 3266
    2018/08/10 16:29:24 [debug] 20388#0: *58 kevent set event: 8: ft:-2 fl:0025
    2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream connect: -2
    2018/08/10 16:29:24 [debug] 20388#0: *58 posix_memalign: 00007FAD23D0B860:128 @16
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer add: 8: 60000:22039879
    2018/08/10 16:29:24 [debug] 20388#0: *58 http finalize request: -4, "?" a:1, c:2
    2018/08/10 16:29:24 [debug] 20388#0: *58 http request count:2 blk:0
    2018/08/10 16:29:24 [debug] 20388#0: timer delta: 1
    2018/08/10 16:29:24 [debug] 20388#0: worker cycle
    2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 60000, changes: 2
    2018/08/10 16:29:24 [debug] 20391#0: accept() not ready (35: Resource temporarily unavailable)
    2018/08/10 16:29:24 [debug] 20391#0: timer delta: 3266
    2018/08/10 16:29:24 [debug] 20391#0: worker cycle
    2018/08/10 16:29:24 [debug] 20391#0: kevent timer: -1, changes: 0
    2018/08/10 16:29:24 [debug] 20390#0: worker cycle
    2018/08/10 16:29:24 [debug] 20390#0: kevent timer: -1, changes: 0
    2018/08/10 16:29:24 [debug] 20389#0: worker cycle
    2018/08/10 16:29:24 [debug] 20389#0: kevent timer: -1, changes: 0
    2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20388#0: kevent: 8: ft:-2 fl:0025 ff:00000000 d:131328 ud:00007FAD25040B38
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect upstream handler: "www.baidu.com:443"
    2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream write handler
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer del: 8: 22039879
    2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect send 200 connection estatbilshed
    2018/08/10 16:29:24 [debug] 20388#0: *58 send: fd:4 59 of 59
    2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect sent 200 connection estatbilshed
    2018/08/10 16:29:24 [debug] 20388#0: timer delta: 6
    2018/08/10 16:29:24 [debug] 20388#0: worker cycle
    2018/08/10 16:29:24 [debug] 20388#0: kevent timer: -1, changes: 0
    2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20388#0: kevent: 4: ft:-1 fl:0025 ff:00000000 d:517 ud:00007FAD25012AD0
    2018/08/10 16:29:24 [debug] 20388#0: *58 http run request: "?"
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect, fu:0 write:0
    2018/08/10 16:29:24 [debug] 20388#0: *58 malloc: 00007FAD25801800:16384
    2018/08/10 16:29:24 [debug] 20388#0: *58 recv: eof:0, avail:517, err:0
    2018/08/10 16:29:24 [debug] 20388#0: *58 recv: fd:4 517 of 16384
    2018/08/10 16:29:24 [debug] 20388#0: *58 send: fd:8 517 of 517
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer add: 4: 60000:22039887
    2018/08/10 16:29:24 [debug] 20388#0: timer delta: 2
    2018/08/10 16:29:24 [debug] 20388#0: worker cycle
    2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 60000, changes: 0
    2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20388#0: kevent: 8: ft:-2 fl:0025 ff:00000000 d:131328 ud:00007FAD25040B38
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect upstream handler: "www.baidu.com:443"
    2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream write handler
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect, fu:0 write:1
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer: 4, old: 22039887, new: 22039892
    2018/08/10 16:29:24 [debug] 20388#0: timer delta: 5
    2018/08/10 16:29:24 [debug] 20388#0: worker cycle
    2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 59995, changes: 0
    2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20388#0: kevent: 8: ft:-1 fl:0025 ff:00000000 d:903 ud:00007FAD25012B38
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect upstream handler: "www.baidu.com:443"
    2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream read handler
    2018/08/10 16:29:24 [debug] 20388#0: *58 malloc: 00007FAD25006400:16384
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect, fu:1 write:0
    2018/08/10 16:29:24 [debug] 20388#0: *58 recv: eof:0, avail:903, err:0
    2018/08/10 16:29:24 [debug] 20388#0: *58 recv: fd:8 903 of 16384
    2018/08/10 16:29:24 [debug] 20388#0: *58 send: fd:4 903 of 903
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer add: 8: 60000:22039892
    2018/08/10 16:29:24 [debug] 20388#0: timer delta: 0
    2018/08/10 16:29:24 [debug] 20388#0: worker cycle
    2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 59995, changes: 0
    2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
    2018/08/10 16:29:24 [debug] 20388#0: kevent: 8: ft:-1 fl:8025 ff:00000000 d:0 ud:00007FAD25012B38
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect upstream handler: "www.baidu.com:443"
    2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream read handler
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect, fu:1 write:0
    2018/08/10 16:29:24 [debug] 20388#0: *58 recv: eof:1, avail:0, err:0
    2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect done
    2018/08/10 16:29:24 [debug] 20388#0: *58 finalize proxy_conncet upstream request: 0
    2018/08/10 16:29:24 [debug] 20388#0: *58 close proxy_connect upstream connection: 8
    2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD23D0B860, unused: 48
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer del: 8: 22039892
    2018/08/10 16:29:24 [debug] 20388#0: *58 reusable connection: 0
    2018/08/10 16:29:24 [debug] 20388#0: *58 http finalize request: 0, "?" a:1, c:1
    2018/08/10 16:29:24 [debug] 20388#0: *58 event timer del: 4: 22039887
    2018/08/10 16:29:24 [debug] 20388#0: *58 http request count:1 blk:0
    2018/08/10 16:29:24 [debug] 20388#0: *58 http close request
    2018/08/10 16:29:24 [debug] 20388#0: *58 http log handler
    2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25006400
    2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25801800
    2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25004400, unused: 8
    2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25005400, unused: 2843
    2018/08/10 16:29:24 [debug] 20388#0: *58 close http connection: 4
    2018/08/10 16:29:24 [debug] 20388#0: *58 reusable connection: 0
    2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25004000
    2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD23F00160, unused: 136
    2018/08/10 16:29:24 [debug] 20388#0: timer delta: 1
    2018/08/10 16:29:24 [debug] 20388#0: worker cycle
    2018/08/10 16:29:24 [debug] 20388#0: kevent timer: -1, changes: 0
    
    ==> access.log <==
    127.0.0.1 -  [10/Aug/2018:16:29:24 +0800] "CONNECT www.baidu.com:443 HTTP/1.1" 000 962 "" "curl/7.61.0" ""
    
    opened by chobits 8
  • Ability to add custom CONNECT response headers

    Ability to add custom CONNECT response headers

    Why you need it?

    My use case/feature request is determining the connected IP address, by way of an additional special header sent in the initial response to the CONNECT verb.

    This would make debugging and introspection of outbound requests easier, as currently it is only possible to determine the connected IP addresses via logs or tcpdump/etc

    How it could be?

    Currently, the initial response to the CONNECT header is this hard coded string: https://github.com/chobits/ngx_http_proxy_connect_module/blob/master/ngx_http_proxy_connect_module.c#L12

    It would be great if that could optionally be extended, maybe using openresty, to support adding arbitrary headers there including one for the connected IP address

    TODO 
    opened by jrgp 7
  • report bug:src/http/ngx_http_request.h:47: error:

    report bug:src/http/ngx_http_request.h:47: error: "NGX_HTTP_CONNECT" redefined [-Werror],when excute "make".In nginx 1.23.1

    src/http/ngx_http_request.h:47: error: "NGX_HTTP_CONNECT" redefined [-Werror],when excute "make".In nginx 1.23.1.

    logs:

    In file included from src/http/ngx_http.h:32, from src/http/ngx_http.c:10: src/http/ngx_http_request.h:47: error: "NGX_HTTP_CONNECT" redefined [-Werror] #define NGX_HTTP_CONNECT 0x10000

    src/http/ngx_http_request.h:44: note: this is the location of the previous definition #define NGX_HTTP_CONNECT 0x00010000

    cc1: all warnings being treated as errors make[1]: *** [objs/Makefile:922: objs/src/http/ngx_http.o] Error 1 make[1]: Leaving directory '/opt/nginx' make: *** [Makefile:10: build] Error 2

    opened by L2421800049 1
  • Unable to restrict the domain name of forward proxy

    Unable to restrict the domain name of forward proxy

    0. Before Your ASK

    1. Try to find an answer by reading a FAQ.

    Ⅰ. Issue Description

    server {
    
       listen 3002;
       server_name sms.tencentcloudapi.com;
    
       # dns resolver used by forward proxying
       resolver 8.8.8.8;
    
       # forward proxy for CONNECT request
       proxy_connect;
       proxy_connect_allow 443 80;
       proxy_connect_connect_timeout 10s;
       proxy_connect_read_timeout 10s;
       proxy_connect_send_timeout 10s;
    
       # forward proxy for non-CONNECT request
       location / {
           proxy_pass $scheme://sms.tencentcloudapi.com$request_uri;
           # proxy_set_header Host sms.tencentcloudapi.com;
       }
    }
    

    Ⅱ. Describe what happened

    Ⅲ. Describe what you expected to happen

    Proxies can be restricted normally

    Ⅳ. How to reproduce it (as minimally and precisely as possible)

    V. Anything else we need to know?

    None

    VI. Environment:

    Nginx 1.19.2

    opened by xxscloud5722 2
  • windows1.18.0  HTTPS  Received HTTP code 0 from proxy after CONNECT

    windows1.18.0 HTTPS Received HTTP code 0 from proxy after CONNECT

    It took me several days to compile windows nginx 1.18.0, but the operation reported an error. Please help me. If there is the same issue, please tell me, I can't find it. Thank you

    patch -bp1 < proxy_connect_rewrite_1018.patch

    auto/configure --with-cc=cl
    --builddir=build
    --prefix=
    --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid
    --http-log-path=logs/access.log --error-log-path=logs/error.log
    --sbin-path=nginx.exe
    --http-client-body-temp-path=temp/client_body_temp
    --http-proxy-temp-path=temp/proxy_temp
    --http-fastcgi-temp-path=temp/fastcgi_temp
    --with-cc-opt=-DFD_SETSIZE=1024
    --with-pcre=src/build/lib/pcre
    --with-zlib=src/build/lib/zlib
    --with-openssl=src/build/lib/openssl
    --with-select_module
    --with-http_ssl_module
    --with-http_sub_module
    --add-module=src/build/lib/ngx_http_proxy_connect_module

    nginx .conf

    main context

    worker_processes auto;

    events { worker_connections 1024; }

    http { #include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65;

    server { listen 3128;

     # dns resolver used by forward proxying
     resolver                       8.8.8.8;
    
     # forward proxy for CONNECT request
     proxy_connect;
     proxy_connect_allow            443 563;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;
    
     # forward proxy for non-CONNECT request
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host;
     }
    

    }

    }

    Error

    [[email protected] ~]# curl https://www.baidu.com -svo /dev/null -x 192.168.9.177:3128

    • About to connect() to proxy 192.168.9.177 port 3128 (#0)
    • Trying 192.168.9.177...
    • Connected to 192.168.9.177 (192.168.9.177) port 3128 (#0)
    • Establish HTTP proxy tunnel to www.baidu.com:443

    CONNECT www.baidu.com:443 HTTP/1.1 Host: www.baidu.com:443 User-Agent: curl/7.29.0 Proxy-Connection: Keep-Alive

    • Recv failure: Connection reset by peer
    • Received HTTP code 0 from proxy after CONNECT
    • Connection #0 to host 192.168.9.177 left intact

    please help me. thank you !

    opened by 2777484478 2
  •  Received HTTP code 400 from proxy after CONNECT

    Received HTTP code 400 from proxy after CONNECT

    After applying the patch, compiling the module and loading the module into Nginx I get this error.

    I compiled and added the module this way (I applied the patch correctly)

    ./configure --with-compat --add-dynamic-module=/root/ngx_http_proxy_connect_module make modules sudo mkdir /etc/nginx/modules sudo cp objs/*.so /etc/nginx/modules/ sudo cp objs/ ngx_http_proxy_connect_module.so /usr/share/nginx/modules/ sudo chmod 644 /usr/share/nginx/modules/ ngx_http_proxy_connect_module.so sudo chmod 644 /etc/nginx/modules/*.so

    Nginx loads the module well

    Describe what happened

    [email protected]:~# curl https://github.com/ -v -x 127.0.0.1:5000
    *   Trying 127.0.0.1:5000...
    * Connected to 127.0.0.1 (127.0.0.1) port 5000 (#0)
    * allocate connect buffer!
    * Establish HTTP proxy tunnel to github.com:443
    > CONNECT github.com:443 HTTP/1.1
    > Host: github.com:443
    > User-Agent: curl/7.74.0
    > Proxy-Connection: Keep-Alive
    >
    < HTTP/1.1 400 Bad Request
    < Date: Thu, 16 Jun 2022 19:18:37 GMT
    < Content-Type: text/html
    < Content-Length: 150
    < Connection: close
    < Server: MyServer
    <
    * Received HTTP code 400 from proxy after CONNECT
    * CONNECT phase completed!
    * Closing connection 0
    curl: (56) Received HTTP code 400 from proxy after CONNECT
    
    

    Environment:

    nginx 1.18.0 proxy_connect_rewrite_1018.patch

    server {
         listen  5000;
         listen [::]:5000;
         # dns resolver used by forward proxying
         resolver  1.1.1.1;
    
         proxy_connect;
         proxy_connect_allow            443;
         proxy_connect_connect_timeout  10s;
         proxy_connect_read_timeout     10s;
         proxy_connect_send_timeout     10s;
    
         # forward proxy for non-CONNECT request
         location / {
            proxy_pass http://$http_host$uri$is_args$args;
           proxy_set_header Host $host;
    
         }
    }
    
    opened by Hightmar 1
  • patch: **** Only garbage was found in the patch input

    patch: **** Only garbage was found in the patch input

    patch -p1 < proxy_connect_rewrite_1018.patch patch: **** Only garbage was found in the patch input.

    GNU patch 2.7.1


    CentOS Linux release 7.9.2009

    nginx-1.20.1

    ./configure --add-module=ngx_http_proxy_connect_module

    adding module in ngx_http_proxy_connect_module ./configure: error: no ngx_http_proxy_connect_module/config was found

    opened by wangquansh 2
Releases(v0.0.3)
  • v0.0.3(Aug 7, 2022)

    ChangeLog

    • Support nginx stable version to 1.22.0 by @chobits in https://github.com/chobits/ngx_http_proxy_connect_module/pull/225
    • Support nginx-1.21.1+ by @levonet in https://github.com/chobits/ngx_http_proxy_connect_module/pull/196
    • Update readme by @bxlxx in https://github.com/chobits/ngx_http_proxy_connect_module/pull/204
    • Fixed readme by @PeterDaveHello in https://github.com/chobits/ngx_http_proxy_connect_module/pull/227
    • Feature: new variable $proxy_connect_first_byte_time: get the time to receive the first byte of data from proxy server by @chobits in https://github.com/chobits/ngx_http_proxy_connect_module/pull/228

    Full Changelog: For more details, see these pull requests.

    New Contributors

    • @bxlxx made their first contribution in https://github.com/chobits/ngx_http_proxy_connect_module/pull/204
    • @PeterDaveHello made their first contribution in https://github.com/chobits/ngx_http_proxy_connect_module/pull/227

    Compatibility

    Source code(tar.gz)
    Source code(zip)
  • v0.0.2(Feb 3, 2021)

    Changelog

    • Bugfix: updated error log and debug log and make it more readable
    • Feature: new variables for debugging: $proxy_connect_resolve_time and $proxy_connect_connect_time
    • Feature: modify CONNECT response via $proxy_connect_response variable or proxy_connect_response directive

    For more details, see these pull requests.

    Compatibility

    Source code(tar.gz)
    Source code(zip)
  • v0.0.1(Jun 25, 2019)

Owner
Xiaochen Wang
Xiaochen Wang
A Nginx module which tries to implement proxy wasm ABI in Nginx.

Status This library is under construction. Description A Nginx module which tries to implement proxy wasm ABI in Nginx. Install dependencies Download

API7 77 Jul 23, 2022
null 4 Feb 25, 2022
Node-portmapping allows to forward ports on Network Address Translators (NAT)

Multi-protocol NAT Port Mapping for Node.js node-portmapping allows to forward ports on Network Address Translators (NAT). It implements the protocols

Paul-Louis Ageneau 5 Jun 24, 2022
http request/response parser for c

HTTP Parser http-parser is not actively maintained. New projects and projects looking to migrate should consider llhttp. This is a parser for HTTP mes

Node.js 6.1k Aug 3, 2022
http request/response parser for c

HTTP Parser http-parser is not actively maintained. New projects and projects looking to migrate should consider llhttp. This is a parser for HTTP mes

Node.js 6.1k Aug 3, 2022
:hocho: Strictly RFC 3986 compliant URI parsing and handling library written in C89; moved from SourceForge to GitHub

uriparser uriparser is a strictly RFC 3986 compliant URI parsing and handling library written in C89 ("ANSI C"). uriparser is cross-platform, fast, su

uriparser 247 Jul 24, 2022
hotpatching, closures, lambdas, and signal-based exception handling in GNU C

Handy Headers GCC/clang is required for all headers exception.h try/except blocks in C Works with actual signals int main(){ int e; try{ //brackets

null 4 May 28, 2022
A lightweight Universal Windows proxy app based on https://github.com/eycorsican/leaf

Maple A lightweight Universal Windows proxy app based on https://github.com/eycorsican/leaf Features Configuration management Outbound network adapter

YtFlow 635 Aug 6, 2022
Pipy is a tiny, high performance, highly stable, programmable proxy written in C++

Pipy is a tiny, high performance, highly stable, programmable proxy. Written in C++, built on top of Asio asynchronous I/O library, Pipy is extremely lightweight and fast, making it one of the best choices for service mesh sidecars.

null 463 Aug 9, 2022
Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

Phorklift is an HTTP server and proxy daemon, with clear, powerful and dynamic configuration.

null 43 Mar 1, 2022
zrp is a nat-passthrough reverse proxy written in modern c++.

zrp is a nat-passthrough reverse proxy written in modern c++. A major use case is to expose a local server via a remote server with public IP.

Coleman 11 Nov 23, 2021
Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.

Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services. The project is unique among realtime push solutions in that it is designed to address the needs of API creators. Pushpin is transparent to clients and integrates easily into an API stack.

Fanout 3.1k Aug 4, 2022
A proxy service of incremental log of OceanBase

OceanBase Migration Serivce LogProxy OceanBase增量日志代理服务,是 OMS 的一部分。基于 liboblog, 以服务的形式,提供实时增量链路接入和管理能力,方便应用接入OceanBase增量日志;能够解决网络隔离的情况下,订阅增量日志的需求;并提供多种

OceanBase 20 Aug 1, 2022
reverse proxy with web server and preview page

Reverse Proxy Dependencies Go Make Suport Termux (android/afsd kernel) linux (kernel) Install: Termux: 1 step: Install Go-lang, Git and Make pkg insta

AlbâniaSecurity-RT 7 Feb 19, 2022
A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.

graftcp English | 简体中文 Introduction graftcp can redirect the TCP connection made by the given program [application, script, shell, etc.] to SOCKS5 or

mingang.he 1.3k Aug 2, 2022
WARFOX is a software-based HTTPS beaconing Windows implant that uses a multi-layered proxy network for C2 communications.

An HTTPS beaconing Windows implant and multi-layered proxy C2 network designed for covert APT emulation focused offensive operations

null 76 Aug 2, 2022
Proxy that can be used in GTPS to crash and others. All commands are already in

Credit to ama6nen Real Repo This proxy can be used and modified by everyone. This proxy already has several command exploits for gtps Features: /proxy

Sersinals 15 May 25, 2022
An HTTPS beaconing Windows implant and multi-layered proxy C2 network designed for covert APT emulation focused offensive operations

WARFOX is a software-based HTTPS beaconing Windows implant that uses a multi-layered proxy network for C2 communications. This kit was designed to emulate covert APT offensive operations. This kit includes WARFOX (Windows implant), HIGHTOWER (Listening Post), and other tools to build configs and set up a proxy network.

null 77 Jul 28, 2022
We use Clash as the backend proxy, which supports Shadowsocks(R), V2Ray, and Trojan protocols.

We use Clash as the backend proxy, which supports Shadowsocks(R), V2Ray, and Trojan protocols.

Dr. Incognito 1.2k Aug 5, 2022