search

chobits / ngx_http_proxy_connect_module

A forward proxy module for CONNECT request handling
BSD 2-Clause "Simplified" License
1.85k stars 498 forks source link

Proxy HTTPS CONNECT #287

Closed UzverNumber47 closed 18 hours ago

UzverNumber47 commented 1 year ago

If I understand correctly, right now if you configure server like this:

    listen       8443 ssl;
    server_name  localhost;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
    ssl_certificate     certificate.crt;
    ssl_certificate_key private.key;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    resolver 8.8.8.8;

    ### connect tunnel
    proxy_connect;
    proxy_connect_allow            443 563;
    proxy_connect_connect_timeout  10s;
    proxy_connect_read_timeout     10s;
    proxy_connect_send_timeout     10s;

    location / {
        proxy_set_header Host $host;
        proxy_pass https://$host;
    }

Nginx will still make an httpP CONNECT request to the target server. But if the target server like firestore.googleapis.com:443 expects an httpS CONNECT request it will result in client sent plain HTTP request to HTTPS port while reading client request headers.

The documentation says that everything should be fine if I use --proxy-insecure for curl. And it really helps and the connection establishes.

But I don't have this --proxy-insecure option in my Android app. All I can configure there ishttps.proxyHost and https.proxyPort.

I am not good at this stuff. So please correct me if I am mistaken

ljluestc commented 1 year ago

server { listen 8443 ssl; server_name localhost;

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate     certificate.crt;
ssl_certificate_key private.key;
ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;

resolver 8.8.8.8;

location / {
    proxy_set_header Host $host;
    proxy_pass https://$host;
    proxy_ssl_server_name on;  # This line is crucial for HTTPS CONNECT
    proxy_ssl_verify off;      # Disable SSL verification for upstream server
    proxy_ssl_name $host;      # Set the Server Name Indication (SNI) to the host
}

location /proxy-tunnel {  # Add a location for handling CONNECT requests
    proxy_pass https://$http_host$request_uri;
    proxy_set_header Host $host;
    proxy_ssl_server_name on;  # This line is crucial for HTTPS CONNECT
    proxy_ssl_verify off;      # Disable SSL verification for upstream server
}

}

chobits commented 11 months ago

But I don't have this --proxy-insecure option in my Android app. All I can configure there ishttps.proxyHost and https.proxyPort.

I knew your problem, but I'm also not familar with android ecosystem, thus I could only recommend you recompile curl program in your android env.