Closed guanzongjiang closed 3 months ago
It appears that your TCP connection may have been blocked by the intermediate network operator.
You can extract the tcp packages in both client and server sides to examine the data flow using a tool like tcpdump.
My proxy machine can access Google
It seems that the problem occurs between the client and your proxy, not between your proxy and the elgoog server.
The first request from CONNECT tunnel (the CONNECT request) is not encrypted, as following:
CONNECT www.google.com:443 HTTP/1.1 Host: www.google.com:443 User-Agent: curl/7.79.1 Proxy-Connection: Keep-Alive
It appears that your TCP connection may have been blocked by the intermediate network operator.
- The client (curl) reported it received a RST tcp package.
- The server (proxy_connect module on nginx) reported it received a FIN tcp package.
You can extract the tcp packages in both client and server sides to examine the data flow using a tool like tcpdump.
My proxy machine can access Google
It seems that the problem occurs between the client and your proxy, not between your proxy and the elgoog server.
The first request from CONNECT tunnel (the CONNECT request) is not encrypted, as following:
- CONNECT request from curl
* Connected to xxxxxx (xxxxxx) port 8880 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to www.google.com:443 > CONNECT www.google.com:443 HTTP/1.1 > Host: www.google.com:443 > User-Agent: curl/7.79.1 > Proxy-Connection: Keep-Alive
my localhost ip: ip1 proxy ip: ip2
example1: curl https://www.bing.com/ -v -x ip2:8880 is success
tcpdump log: 15:25:56.653720 IP ip1.54454 > ip2.cddbp-alt: Flags [S], seq 1360722180, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1786527561 ecr 0,sackOK,eol], length 0 15:25:56.770584 IP ip2.cddbp-alt > ip1.54454: Flags [S.], seq 3370598099, ack 1360722181, win 28960, options [mss 1460,sackOK,TS val 177209024 ecr 1786527561,nop,wscale 7], length 0 15:25:56.770653 IP ip1.54454 > ip2.cddbp-alt: Flags [.], ack 1, win 2058, options [nop,nop,TS val 1786527677 ecr 177209024], length 0 15:25:56.770882 IP ip1.54454 > ip2.cddbp-alt: Flags [P.], seq 1:117, ack 1, win 2058, options [nop,nop,TS val 1786527677 ecr 177209024], length 116 15:25:56.849881 IP ip2.cddbp-alt > ip1.54454: Flags [.], ack 117, win 227, options [nop,nop,TS val 177209137 ecr 1786527677], length 0 15:25:56.849888 IP ip2.cddbp-alt > ip1.54454: Flags [P.], seq 1:60, ack 117, win 227, options [nop,nop,TS val 177209146 ecr 1786527677], length 59 15:25:56.849931 IP ip1.54454 > ip2.cddbp-alt: Flags [.], ack 60, win 2057, options [nop,nop,TS val 1786527755 ecr 177209146], length 0 15:25:56.863681 IP ip1.54454 > ip2.cddbp-alt: Flags [P.], seq 117:348, ack 60, win 2057, options [nop,nop,TS val 1786527768 ecr 177209146], length 231 15:25:56.952799 IP ip2.cddbp-alt > ip1.54454: Flags [.], seq 1508:2956, ack 348, win 235, options [nop,nop,TS val 177209236 ecr 1786527768], length 1448
example2: curl https://www.google.com/ -v -x ip2:8880 is fail
tcpdump log: 15:24:07.440647 IP ip1.54135 > ip2.cddbp-alt: Flags [S], seq 2360919781, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1786419044 ecr 0,sackOK,eol], length 0 15:24:07.553853 IP ip2.cddbp-alt > ip1.54135: Flags [S.], seq 2605493803, ack 2360919782, win 28960, options [mss 1460,sackOK,TS val 177099811 ecr 1786419044,nop,wscale 7], length 0 15:24:07.553931 IP ip1.54135 > ip2.cddbp-alt: Flags [.], ack 1, win 2058, options [nop,nop,TS val 1786419156 ecr 177099811], length 0 15:24:07.554118 IP ip1.54135 > ip2.cddbp-alt: Flags [P.], seq 1:121, ack 1, win 2058, options [nop,nop,TS val 1786419156 ecr 177099811], length 120 15:24:07.610284 IP ip2.cddbp-alt > ip1.54135: Flags [R.], seq 1, ack 121, win 3193, length 0 15:24:07.610290 IP ip2.cddbp-alt > ip1.54135: Flags [R.], seq 1, ack 121, win 3193, length 0 15:24:07.610291 IP ip2.cddbp-alt > ip1.54135: Flags [R.], seq 1, ack 121, win 3193, length 0 15:24:07.610292 IP ip2.cddbp-alt > ip1.54135: Flags [.], ack 121, win 227, options [nop,nop,TS val 177099922 ecr 1786419156], length 0 15:24:07.610350 IP ip1.54135 > ip2.cddbp-alt: Flags [R], seq 2360919902, win 0, length 0
I don't understand the difference between these two. If it's a problem with the client and proxy, why did the first example succeed And Example 2 was also successful on the proxy machine
I believe that addressing this issue lies beyond the technical scope of this project. It is likely that only the intermediate network operator or device can provide a solution.
~Additionally, if your proxy_connect server crashes, the Linux kernel will send a RST (reset) packet to your client.~
I also have this problem, and only of HTTPS Google. Because i try Github and others, all is right.
i try curl google.com -vx xxx:55580
, all is right.
then i try curl https://google.com -vx xxx:55580
, get error
* processing: https://google.com
* Trying xxx.xxx.xxx.xxx:55580...
* Connected to xxx.link (xxx.xxx.xxx.xxx) port 55580
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/8.2.1
> Proxy-Connection: Keep-Alive
>
* Recv failure: 连接被对方重设
* Closing connection
curl: (56) Recv failure: 连接被对方重设
this my nginx config file
...
server {
listen 55580;
resolver 8.8.8.8;
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
this my nginx version
nginx version: nginx/1.24.0
built by clang 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc12386ae247c)
built with OpenSSL 1.1.1t-freebsd 7 Feb 2023
TLS SNI support enabled
configure arguments: --prefix=/usr/home/nginx --with-http_ssl_module --with-http_stub_s
tatus_module --with-http_realip_module --with-threads --add-module=ngx_http_proxy_connect_module
only two cases may produce RST error
I also have this problem, and only of HTTPS Google. Because i try Github and others, all is right.
i try
curl google.com -vx xxx:55580
, all is right.then i try
curl https://google.com -vx xxx:55580
, get error* processing: https://google.com * Trying xxx.xxx.xxx.xxx:55580... * Connected to xxx.link (xxx.xxx.xxx.xxx) port 55580 * CONNECT tunnel: HTTP/1.1 negotiated * allocate connect buffer * Establish HTTP proxy tunnel to google.com:443 > CONNECT google.com:443 HTTP/1.1 > Host: google.com:443 > User-Agent: curl/8.2.1 > Proxy-Connection: Keep-Alive > * Recv failure: 连接被对方重设 * Closing connection curl: (56) Recv failure: 连接被对方重设
more information of HTTPS Github this my nginx config file
... server { listen 55580; resolver 8.8.8.8; proxy_connect; proxy_connect_allow 443 80; proxy_connect_connect_timeout 10s; proxy_connect_read_timeout 10s; proxy_connect_send_timeout 10s; location / { proxy_pass http://$host; proxy_set_header Host $host; } }
this my nginx version
nginx version: nginx/1.24.0 built by clang 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc12386ae247c) built with OpenSSL 1.1.1t-freebsd 7 Feb 2023 TLS SNI support enabled configure arguments: --prefix=/usr/home/nginx --with-http_ssl_module --with-http_stub_s tatus_module --with-http_realip_module --with-threads --add-module=ngx_http_proxy_connect_module
As many people report the similar problem, I think I need to look into it again. Please help me debug with this problem, but I guess the main reason is that the package is blocked by intermedia network operator, like man-in-the-middle attack.
I need some more information from your case
2023/07/31 22:13:02 [alert] 3810#0: worker process 3811 exited on signal 11
or other alert level logs$ dmesg| grep segfault
for linuxactually
$ sudo tcpdump -i any -nn port 55580
on the server
sideIf the main reason of this issue was caused by the intermedia network operator or other middle man, let me guess why it could be:
Although the proxied data flow over CONNECT tunnel could be encrypted, ussually https, the process of establishing the CONNECT tunnel is not encrypted (it can be encrypted if you need, see https CONNECT tunnel).
curl -x ip:port https://xxxx.com
, the process of establishing the CONNECT tunnel is just to send a unecrypted CONNECT request, its plain text, just like the debug info from the -v
option of the curl command:
The middle man can then obtain two pieces of information from your request, and can do some blocking based on some strategies
curl -x ip:port http://xxx.com
, this command just sends http request GET, not establishing the CONNECT tunnel.https://xxxx.com
) you want to proxyThe server which run nginx is a public server, I can't use sudo
, so i can't track the tcp packages flow on server
There is nothing in nginx/logs/error.log
, it's blank. And nginx/logs/access.log
is here
15x.1xx.1xx.x31 - - [11/Aug/2023:08:11:00 +0200] "CONNECT google.com:443 HTTP/1.1" 499 0 "-" "curl/8.
2.1"
15x.1xx.1xx.x31 - - [11/Aug/2023:08:11:42 +0200] "CONNECT twitter.com:443 HTTP/1.1" 200 3793 "-" "cur
l/8.2.1"
I don't change anything about nginx.conf - error_log
. This is the case in nginx.conf
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
The server which run nginx is a public server, I can't use
sudo
, so i can't track the tcp packages flow on serverThere is nothing in
nginx/logs/error.log
, it's blank. Andnginx/logs/access.log
is here15x.1xx.1xx.x31 - - [11/Aug/2023:08:11:00 +0200] "CONNECT google.com:443 HTTP/1.1" 499 0 "-" "curl/8. 2.1" 15x.1xx.1xx.x31 - - [11/Aug/2023:08:11:42 +0200] "CONNECT twitter.com:443 HTTP/1.1" 200 3793 "-" "cur l/8.2.1"
I don't change anything about
nginx.conf - error_log
. This is the case in nginx.conf#error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info;
From this log 15x.1xx.1xx.x31 - - [11/Aug/2023:08:11:00 +0200] "CONNECT google.com:443 HTTP/1.1" 499 0 "-" "curl/8.
, the nginx server received a FIN package from the client side before nginx server will send 200 status code. (499 nginx status code means the client actively
closes the connection.)
So I'm more sure the connection of the CONNECT request had been attacked by some middle man (maybe network operator, FW, server hosting provide and etc.), which sent a RST package to the client side and a FIN package to the server side.
I am having stange issue:- maybe @chobits can help me out
This is my config
server {
listen 3128;
# dns resolver used by forward proxying
resolver 8.8.8.8 ipv6=off;
# forward proxy for CONNECT requests
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
# defined by yourself for non-CONNECT requests
# Example: reverse proxy for non-CONNECT requests
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
And I get following response:-
curl -x http://localhost:3128 -k https://google.com
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 403 (Forbidden)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>403.</b> <ins>That’s an error.</ins>
<p>Your client does not have permission to get URL <code>/</code> from this server. <ins>That’s all we know.</ins>
hi @iamkhalidbashir
It seems that it worked, from the curl result, that means CONNECT tunnel was established and got a 403 response from proxied server. If you ask me why it is 403 while not 200 status code, I could not help you, it bases on your network environment. You can directly check google.com via
curl https://google.com
, the result should be 403 same ascurl->proxy_connect->backend
situcation if your proxy_connect is on your local machine.I am having stange issue:- maybe @chobits can help me out
This is my config
server { listen 3128; # dns resolver used by forward proxying resolver 8.8.8.8 ipv6=off; # forward proxy for CONNECT requests proxy_connect; proxy_connect_allow 443 563; proxy_connect_connect_timeout 10s; # defined by yourself for non-CONNECT requests # Example: reverse proxy for non-CONNECT requests location / { proxy_pass http://$host; proxy_set_header Host $host; } }
And I get following response:-
curl -x http://localhost:3128 -k https://google.com <!DOCTYPE html> <html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 403 (Forbidden)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>403.</b> <ins>That’s an error.</ins> <p>Your client does not have permission to get URL <code>/</code> from this server. <ins>That’s all we know.</ins>
It seems that it worked, from the curl result, that means CONNECT tunnel was established and got a 403 response from proxied server. If you ask me why it is 403 while not 200 status code, I could not help you, it bases on your network environment. You can directly check google.com via curl https://google.com
, the result should be 403 same as curl->proxy_connect->backend
situcation if your proxy_connect is on your local machine.
It seems that it worked, from the curl result, that means CONNECT tunnel was established and got a 403 response from proxied server. If you ask me why it is 403 while not 200 status code, I could not help you, it bases on your network environment. You can directly check google.com via
curl https://google.com
, the result should be 403 same ascurl->proxy_connect->backend
situcation if your proxy_connect is on your local machine.I am having stange issue:- maybe @chobits can help me out This is my config
server { listen 3128; # dns resolver used by forward proxying resolver 8.8.8.8 ipv6=off; # forward proxy for CONNECT requests proxy_connect; proxy_connect_allow 443 563; proxy_connect_connect_timeout 10s; # defined by yourself for non-CONNECT requests # Example: reverse proxy for non-CONNECT requests location / { proxy_pass http://$host; proxy_set_header Host $host; } }
And I get following response:-
curl -x http://localhost:3128 -k https://google.com <!DOCTYPE html> <html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 403 (Forbidden)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>403.</b> <ins>That’s an error.</ins> <p>Your client does not have permission to get URL <code>/</code> from this server. <ins>That’s all we know.</ins>
It seems that it worked, from the curl result, that means CONNECT tunnel was established and got a 403 response from proxied server. If you ask me why it is 403 while not 200 status code, I could not help you, it bases on your network environment. You can directly check google.com via
curl https://google.com
, the result should be 403 same ascurl->proxy_connect->backend
situcation if your proxy_connect is on your local machine.
Actually the issue is still with the module, because a simple curl request on the same system returns 200 but proxied through module returns 403
this just happens for google, dont know what is google doing to detect if the request is proxied
Its an hetzner cloud server which has ipv4 and ipv6 Could that be a problem ?
Its an hetzner cloud server which has ipv4 and ipv6 Could that be a problem ?
If you use command curl, it will use IP address from /etc/resolv.conf as DNS server, while the proxy_connect module uses your configured directive resolver 8.8.8.8
as DNS server.
You can configure the proxy_connect module directive resolver <IP>
to IP address from /etc/resolv.conf
I just tried, 127.0.0.11 in /etc/resolv.conf Using it instead of 8.8.8.8 ipv6=off; Still gives same error
proxied (upstream ip) is now same as curl (direct) google server ip
Still getting 403 for google through proxy but not with curl on same system
Been struggling to solve this for 2 days now ;(
I just tried, 127.0.0.11 in /etc/resolv.conf Using it instead of 8.8.8.8 ipv6=off; Still gives same error
proxied (upstream ip) is now same as curl (direct) google server ip
Still getting 403 for google through proxy but not with curl on same system
Been struggling to solve this for 2 days now ;(
add -sv option to your curl command, and show two results from curl -sv https://google.com
and curl -sv -x http://localhost:3128 -k https://google.com
i have same problem, got error log:
proxy_connect: client prematurely closed connection (104: Connection reset by peer), client: xxx.xxx.xxx.xx, server: , request: "CONNECT www.google.com:443 HTTP/1.1", host: "www.google.com:443"
"CONNECT www.google.com:443 HTTP/1.1" 499 0 "-" "curl/8.2.1"
but when i run curl
on another server(IP in USA and IP in Japan), success get html.
If there is like a middle man attack, this module might not address the problem. 😢
For the other users, I just have been investigating the problem following this thread. But I havent been able to find a soloution yet now if the reason is a middle man attack.
If you are in china, this is disabled to proxy to google, this is aliyun's reply.
If someone believes the issue is not related to a network problem and has discovered some meaningful issues (such as potential software anomalies). Please feel free to file a new issue and include your thoughts, particularly the steps to reproduce. I have closed and locked this one for it's too heated.
CONNECT www.google.com:443 HTTP/1.1" 499 0 "-" "curl/7.79.1
hi, I have discovered a problem.
nginx err "CONNECT www.google.com:443 HTTP/1.1" 499 0 "-" "curl/7.79.1"
curl https://www.bing.com/ -v -x xxxxxx:8880 is success
My proxy machine can access Google
nginx conf: