chobits / ngx_http_proxy_connect_module

A forward proxy module for CONNECT request handling
BSD 2-Clause "Simplified" License
1.84k stars 498 forks source link

transparent proxy does not work as expected #239

Closed UsamaMehboob closed 1 year ago

UsamaMehboob commented 2 years ago

Hi, so I have nginx running with this module with an ip address 172.24.27.204 and I can send my traffic from client by explicitly giving proxy info. But when I tried to enable transparent config, I am getting an error.

For working explicit proxy config:

  server {
       listen  3128;
       resolver 8.8.8.8 ipv6=off;
       proxy_connect;
       proxy_connect_allow            443;
       proxy_connect_connect_timeout  10s;
       proxy_connect_read_timeout     10s;
       proxy_connect_send_timeout     10s;

       # forward proxy for non-CONNECT request
       location / {
           proxy_pass http://$host;
           proxy_set_header Host $host;
       }
   }

from my client, I can send the request curl https://www.google.com -x 172.24.27.204:3128 and I get http 200 response.

However, I want to send my packets transparently so I applied this config

   server {
       listen  3128;    
       resolver 8.8.8.8 ipv6=off;

       proxy_connect_bind $remote_addr transparent;
       proxy_connect;
       proxy_connect_allow            443;
       proxy_connect_connect_timeout  10s;
       proxy_connect_read_timeout     10s;
       proxy_connect_send_timeout     10s;

       # forward proxy for non-CONNECT request
       location / {
           proxy_pass http://$host;
           proxy_set_header Host $host;
       }
   }

Have also enabled this ip table rule :

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3128

My packets are reaching the nginx node but on client side I see this error

  curl https://www.google.com
  curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Any help would be appreciated. been struggling with this all day. thanks in advance.

UsamaMehboob commented 2 years ago

cc @chobits can you please let me know if there is an obvious wrong in my setup? thanks

chobits commented 2 years ago

hi

If you run command curl https://www.google.com , the client curl will send normal https protocol to client, which means client sends SSL handshake firstly to establish an SSL connection and then sends normal Encrypted http request over the SSL connection. In such case, this module( proxy_connect) module will not handle the https request, because it only handles CONNECT request and then proxies the data over the CONNECT tunnel. However, curl -x will sends a CONNECT request to establish a CONNECT tunnel and then send data over the tunnel.

The error you got is that your nginx server did not work under SSL protocol, so that curl client report unknown protocol error. BTW, although if your nginx have been configured as SSL server, the client might still get SSL handshake error, because the curl client would check the SSL cert of www.google.com. If you dont have SSL private key of google SSL server configured in your nginx server, the SSL traffic from client cannot be parsed or handled (the SSL connection cannot be established in SSL handshake phase) . SSL protocol is designed to protect the encrypted data.

chobits commented 2 years ago

BTW, if you uses CONNECT tunnel, the proxy_connect module can proxy data between your client and google server. But it cannot parse the encrypted data over the tunnel because of SSL Encryption Protocol.

Only CONNECT tunnel data will be handled by proxy_connect module, other normal SSL HTTP or HTTP request will be handled by nginx server itself.

Enabling your web browser HTTPS proxy setting or using curl -x command can establish a CONNECT tunnel.

chobits commented 1 year ago

closing it , if you still have this issue, feel free to reopen