search

chobits / ngx_http_proxy_connect_module

A forward proxy module for CONNECT request handling
BSD 2-Clause "Simplified" License
1.83k stars 497 forks source link

How to forward proxy twice #322

Open ldy opened 1 month ago

ldy commented 1 month ago

The network topology diagram is like this: _Client Machine C --> Nginx Machine B(installed connect_module)--> Nginx Machine A(installed connectmodule) --> target website

Machine A can access the external network,Machine B can access Machine A,Machine C can access Machine B,How to configure make Machine C can access https website?I tried this configuration,Machine C can access http website,but cannot access https website。

# Machine A configuration,After this,Machine B can access http/https website
server {
    listen  8080;

    # dns resolver used by forward proxying
    resolver  114.114.114.114;

    # forward proxy for CONNECT request
    proxy_connect;
    proxy_connect_allow            443 80;
    proxy_connect_connect_timeout  10s;
    proxy_connect_read_timeout     10s;
    proxy_connect_send_timeout     10s;

    # forward proxy for non-CONNECT request
    location / {
        proxy_pass $scheme://$host;
        proxy_set_header Host $host;
    }
}
# Machine B configuration,After this,Machine C can access http website
server {
    listen                           8081;
    #server_name                     localhost;
    #resolver                        Machine A ipv6=off;
        #proxy_connect;
    #proxy_connect_allow            443 80;
    #proxy_connect_connect_timeout  10s;
    #proxy_connect_read_timeout     10s;
    #proxy_connect_send_timeout     10s;
    location / {
        proxy_pass $scheme://Machine A:8081;
        proxy_set_header Host $host;
        proxy_set_header Referer $http_referer;    
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

I have tried multiple configuration methods in Machine B,still cannot make Machine C access https website,can you tell me where I went wrong?

chobits commented 3 days ago

It might be unavailable to cascade two proxy_connect agent.

The first proxy_connect agent will extract raw data from CONNET tunnel, then it forwards the flow to 2nd proxy_connect agent. The 2nd proxy_connect agent also tries to extract the raw data from the tunnel, but there is no tunnel (CONNECT request) only raw data, so it fails.

So a possible way is to change one of the proxy_connect agent to pure tcp proxy agent.