400 & 157 // transparent proxy

[sfhyper]

Hello, I am using version 1.16.1, my configuration is as follows, and I sent a series of specific domains to the load balancer through DNS, but all of them give this error. Thank you for your help.

load_module /usr/lib/nginx/modules/ngx_http_proxy_connect_module.so;
events {
    worker_connections  1024;
}
http {
server {
listen 443;

 # dns resolver used by forward proxying
 resolver                       8.8.8.8;

 # forward proxy for CONNECT request
 proxy_connect ;
 proxy_connect_allow            443 8443 80 8080;
 proxy_connect_connect_timeout  10s;
 proxy_connect_read_timeout     10s;
 proxy_connect_send_timeout     10s;

 # forward proxy for non-CONNECT request
 location / {
     proxy_pass http://$host;
     proxy_set_header Host $host;
 }
}

[29/Jul/2023:01:41:48 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x13\xECy$\xD2\x13\xD3\xA1x8\xAC\xB0:;\xE7\xA9\x98;\x10\xAC>\x19\xC0>l\x9B\xA7\xB4\x05\xEAk\xD7 \xED[\xB8\xDF{\xF5X\xB2m\xF0\x18\x14\xAD\x8BR\xEFH\x80ST\xEFD\xD4\x00c)\xF4\x85W\xB0h\x00 \xAA\xAA\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x01\x00\x01\x93\xAA\xAA\x00\x00\x00\x0B\x00\x02\x01\x00\x003\x00+\x00)::\x00\x01\x00\x00\x1D\x00 \xE6r\x0E\xEBA-\xE6\xE2^sm\xF0:\x91\x87.}\x1E\xE7\xCC\x80%\xE24{e\xA3\x14\xFFh)\x00-\x00\x02\x01\x01\x00\x10\x00\x0E\x00\x0C\x02h2\x08http/1.1\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x17\x00\x00\x00" 400 157 "-" "-"

[chobits]

The log seems that some client sent SSL request to this server, but your server does not support ssl protocol.

[chobits]

If you want ur server to support connect tunneling over SSL, pls refer to https://github.com/chobits/ngx_http_proxy_connect_module#configuration-example-for-connect-request-in-https.

Make sure you know how the data flow works over SSL, as it can be more complex than non-SSL connect tunneling

[sfhyper]

Thank you very much for your answer. I am directed to nginx through dns and I want to transparently transfer a series of domains and subdomains that I defined and port 443 is https, but unfortunately it gives such an error if it works properly in stream mode. But for some reason, I need to use your project and be able to reject https traffic transparently. I would be grateful if you could help me. This stream mode works properly stream { resolver 8.8.8.8 8.8.4.4; server { listen 443; ssl_preread on; proxy_timeout 30s; proxy_connect_timeout 1s; proxy_ssl_server_name on; proxy_pass $ssl_preread_server_name:$server_port; } }

And this is the config that gives this error load_module /usr/lib/nginx/modules/ngx_http_proxy_connect_module.so;

worker_processes auto;

events {}

http { server { listen 443;

    # dns resolver used by forward proxying
    resolver                       8.8.8.8;

    # forward proxy for CONNECT requests
    proxy_connect;
    proxy_connect_connect_timeout  10s;
    proxy_connect_data_timeout     10s;

    # defined by yourself for non-CONNECT requests
    # Example: reverse proxy for non-CONNECT requests
    location / {
        proxy_pass http://$host;
        proxy_set_header Host $host;
    }
}

}

[chobits]

I need to use your project and be able to reject https traffic transparently

I dont understand your meaning. This module cannot support transparent traffic proxying, it needs your client to request server with proxy_connect module enabled to create a CONNECT tunnel explicitly, while transparent traffic proxy server is insensitive to the client. You need configure your client to enable connect tunnel, here is an example how we set chrome webbrowser to enable CONNECT tunnel: https://github.com/chobits/ngx_http_proxy_connect_module/issues/22#issuecomment-346941271

[sfhyper]

Thank you very much for your explanation. I thought that the module can support transparent proxy. Unfortunately, if I create an ssl certificate, my users get the message not secure, so I have to add the certificate one by one.