chobits / ngx_http_proxy_connect_module

A forward proxy module for CONNECT request handling
BSD 2-Clause "Simplified" License
1.83k stars 497 forks source link

Howto make whitelistening based on IP of connect_host #197

Open jschroer opened 3 years ago

jschroer commented 3 years ago

Hi, I try to move from squid to nginx as forward proxy. Everything is working fine, this is a great module! In squid we have an whitelist model, so as default anything is deny, only whitelisted targets are allowed. This whitelisting is based on FQDN OR IP. The fqdn part is no problem, I have configured something like this:

`server { listen 3128;

 # dns resolver used by forward proxying
 resolver 8.8.8.8 ipv6=off;

 # forward proxy for CONNECT request

 proxy_connect;
 proxy_request_buffering off;
 proxy_connect_allow            all;

 proxy_connect_connect_timeout  12s;
 proxy_connect_read_timeout     10s;
 proxy_connect_send_timeout     10s;

 # initialize to a non existing destination
 set $upstreamserver 127.0.0.3:65535;

 if ($connect_host ~* "www.TEST.com") {
    set $upstreamserver $connect_addr;
 }

 proxy_connect_address $upstreamserver;

`

The problem is the IP part. In squid we have configured many servers to allow only traffic to specific IP (or networks) and i find no way to make something in this way here. As written in docu $connect_addr is not set at this point . Has someone an idea how this can be done within nginx (or module)? Configuration, reqriting, LUA, modify module (Don't find the correct point, thinking of making a pre resolve) ..., any idea?

Regards Jochen

jschroer commented 3 years ago

Hi, before discussion goes in the wrong direction: I know that whitelistening will be easier by use server_name for it, the construct above was more flexible for me because I have a bigger tool by regex, and it was not the point, I search for an solution for whitelistening depending of the IP of the target in the connect-line.