Closed friskfly closed 6 years ago
hi, this module is used to handle CONNECT-request tunnel, this request is plain request (not over ssl). Seems that there is no client (webbrowsers / curl ) sending CONNECT request over SSL layer.
So if u want to use this module, config it in non-ssl server.
For more details of CONNECT tunnel, see: https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling
Chrome and Firefox has https proxy support. other web client can use nghttpx to translate http to h2 , I'm now use nghttpx as frontend server, and nginx with this module in backend . this is a workaround way. If the moudle can directly support CONNECT request over ssl , i can just use nginx 😀. see this blog https://wzyboy.im/post/1052.html
Thanks for sharing this idea, let me look deep into it this weekend:)
hi @friskfly , I have made connect tunnel over ssl work. I'm currenty using chrome-https-proxy-setting with ngx_http_proxy_connect_module to write this comment :)
data stream diagram:
1. create tunnel:
[SSL] + [CONNECT request] --> nginx --TCP connection --> backend
2. proxy data stream via tunnel
[SSL] + [proxied data stream ( maybe http reqeust /https request)] --> nginx -- [proxied data stream ( maybe http reqeust /https request)] --> backend
config Nginx server to handle CONNECT tunnel over ssl in port 8443
server {
listen 8443 ssl;
server_name localhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /Users/xiaochen/work/nginx/cert.pem;
ssl_certificate_key /Users/xiaochen/work/nginx/cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
resolver 8.8.8.8;
### connect tunnel
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_set_header Host $host;
proxy_pass http://$host;
}
}
Note that I use chrome extension SwitchyOmega to control proxy setting. Select HTTPS
in protocol
option.
The main problem, I try to resolve, is chrome reporting error: ERR_PROXY_CERTIFICATE_INVALID. If you have the same problem, I can show how to fix.
Note that I'm using macOS Sierra(version 10.12.6) and Goolge Chrome (Version 62.0.3202.94 (Official Build) (64-bit)).
$ cat genkey.sh
#!/bin/bash
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout cert.key \
-new \
-out cert.pem \
-subj /CN=localhost \
-reqexts SAN \
-extensions SAN \
-config <(cat /System/Library/OpenSSL/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
-sha256 \
-days 3650
$ ./genkey.sh
$ ls
cert.key cert.pem
cert.pem
as a trusted root certificate on macOS:1 Open Keychain Access
2 Choose "System" in the "Keychains" list
3 Choose "Certificates" in the "Category" list
4 Choose "File | Import Items..."
Browse to the file created above, "cert.pem", select it, and click "Open"
Select your newly imported certificate in the "Certificates" list.
5. Click the "i" button, or right click on your certificate, and choose "Get Info"
Expand the "Trust" option
Change "When using this certificate" to "Always Trust"
Close the dialog, and you'll be prompted for your password.
For more details, see https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate.
Here is my configure screenshot:
@chobits I tried again , with listen 443 ssl
is ok , but when I configure with listen 443 ssl http2;
,chrome shows tunnel failed . There maybe some problem work with http2 .
hi @friskfly
Yes, this is known issue in my TODO-list.
This is a long term plan, I dont have time to deal with this currently.
At least three points we should pay attention to:
I see. Thx for your reply.
I am closing this issue, the TODO issue for h2 is added, see https://github.com/chobits/ngx_http_proxy_connect_module/issues/25.
Hi, I am building a https proxy to block the ads working with PAC. The idea is all https://ads.domain/any/uri
will be forward proxy to nginx server and it always return empty_gif
or status 204. But after I configure my nginx default.conf as follow, https_proxy=my.server:8080 curl https://www.baidu.com
still return the original webpage.
server {
listen 8080 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /my/nginx/cert.pem;
ssl_certificate_key /myk/nginx/cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
resolver 8.8.8.8;
### connect tunnel
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
empty_gif;
}
}
Please help me with this.
Hi, is it possible to transfer the real ip address of the user through the https proxy?
nginx info:
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --add-dynamic-module=/home/tomoncle/ngx_http_proxy_connect_module
server {
listen 6443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
resolver 114.114.114.114;
### connect tunnel
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_set_header Host $host;
proxy_pass http://$host;
}
}
[root@5c5b6 ~]# curl -x 127.0.0.1:6443 -v www.baidu.com
GET HTTP://www.baidu.com/ HTTP/1.1 User-Agent: curl/7.29.0 Host: www.baidu.com Accept: / Proxy-Connection: Keep-Alive
< HTTP/1.1 400 Bad Request < Server: nginx/1.16.1 < Date: Thu, 23 Dec 2021 01:46:48 GMT < Content-Type: text/html; charset=utf-8,gbk < Content-Length: 255 < Connection: close <
400 The plain HTTP request was sent to HTTPS port 400 Bad Request
The plain HTTP request was sent to HTTPS port nginx/1.16.1
CONNECT www.baidu.com:443 HTTP/1.1 Host: www.baidu.com:443 User-Agent: curl/7.29.0 Proxy-Connection: Keep-Alive
< HTTP/1.1 400 Bad Request < Server: nginx/1.16.1 < Date: Thu, 23 Dec 2021 01:46:54 GMT < Content-Type: text/html; charset=utf-8,gbk < Content-Length: 255 < Connection: close <
Connection #0 to host 127.0.0.1 left intact curl: (56) Received HTTP code 400 from proxy after CONNECT
## 问题
当我**关闭**ssl 时(配置文件第一行删除ssl参数)代理工作正常
当我**启用**ssl时(如上配置)出现以上的测试问题
我看您这边配置成功了,是可以支持 客户端 -> `HTTPS` -> 代理服务 -> `HTTP/HTTPS` -> 目标服务器 ,
但是我不知道问题出在哪里,能否给出一些意见。谢谢
I have the same problem
无法启用 ssl
- nginx : 1.16.1
- OS: centos7
- nginx info:
nginx version: nginx/1.16.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --add-dynamic-module=/home/tomoncle/ngx_http_proxy_connect_module
正向代理配置
server { listen 6443 ssl; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; resolver 114.114.114.114; ### connect tunnel proxy_connect; proxy_connect_allow 443 563; proxy_connect_connect_timeout 10s; proxy_connect_read_timeout 10s; proxy_connect_send_timeout 10s; location / { proxy_set_header Host $host; proxy_pass http://$host; } }
测试
[root@5c5b6 ~]# curl -x 127.0.0.1:6443 -v www.baidu.com * About to connect() to proxy 127.0.0.1 port 6443 (#0) * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 6443 (#0) > GET HTTP://www.baidu.com/ HTTP/1.1 > User-Agent: curl/7.29.0 > Host: www.baidu.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 400 Bad Request < Server: nginx/1.16.1 < Date: Thu, 23 Dec 2021 01:46:48 GMT < Content-Type: text/html; charset=utf-8,gbk < Content-Length: 255 < Connection: close < <html> <head><title>400 The plain HTTP request was sent to HTTPS port</title></head> <body> <center><h1>400 Bad Request</h1></center> <center>The plain HTTP request was sent to HTTPS port</center> <hr><center>nginx/1.16.1</center> </body> </html> * Closing connection 0 [root@5c5b6 ~]# curl -x 127.0.0.1:6443 -v https://www.baidu.com * About to connect() to proxy 127.0.0.1 port 6443 (#0) * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 6443 (#0) * Establish HTTP proxy tunnel to www.baidu.com:443 > CONNECT www.baidu.com:443 HTTP/1.1 > Host: www.baidu.com:443 > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 400 Bad Request < Server: nginx/1.16.1 < Date: Thu, 23 Dec 2021 01:46:54 GMT < Content-Type: text/html; charset=utf-8,gbk < Content-Length: 255 < Connection: close < * Received HTTP code 400 from proxy after CONNECT * Connection #0 to host 127.0.0.1 left intact curl: (56) Received HTTP code 400 from proxy after CONNECT
问题
当我关闭ssl 时(配置文件第一行删除ssl参数)代理工作正常 当我启用ssl时(如上配置)出现以上的测试问题
我看您这边配置成功了,是可以支持 客户端 ->
HTTPS
-> 代理服务 ->HTTP/HTTPS
-> 目标服务器 , 但是我不知道问题出在哪里,能否给出一些意见。谢谢
I have the same problem too. "client sent plain HTTP request to HTTPS port while reading client request headers,"
I have the same problem
无法启用 ssl
....
问题
当我关闭ssl 时(配置文件第一行删除ssl参数)代理工作正常 当我启用ssl时(如上配置)出现以上的测试问题 我看您这边配置成功了,是可以支持 客户端 ->
HTTPS
-> 代理服务 ->HTTP/HTTPS
-> 目标服务器 , 但是我不知道问题出在哪里,能否给出一些意见。谢谢I have the same problem too. "client sent plain HTTP request to HTTPS port while reading client request headers,"
hi, your configuration is right, but ur constructed curl command is not right, see my latest documentation here: https://github.com/chobits/ngx_http_proxy_connect_module#example-for-curl-connect-request-in-https
$ curl https://nginx.org/ -sv -o/dev/null -x https://<your-nginx-ip>:<your-nginx-port> --proxy-insecure
I tried in ssl server block , but not succeed