proxychains only works with HTTPS protocol and displays "denied" with HTTP protocol when combined with squid proxy

[baptx]

Tested with proxychains-ng 4.13 and squid 4.1 packages from Ubuntu 18.10. Also reproduced with the latest proxychains-ng 4.13 release and Git version of this GitHub repository.

Proxychains fails when doing an HTTP request to a domain like example.com:

bapt@dell:~$ proxychains curl http://example.com
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.13
[proxychains] Strict chain  ...  127.0.0.1:3128  ...  93.184.216.34:80 <--denied
[proxychains] Strict chain  ...  127.0.0.1:3128  ...  2606:2800:220:1:248:1893:25c8:1946:80 <--denied
curl: (7) Couldn't connect to server
bapt@dell:~$ 

However it works when doing an HTTPS request to the same domain:

bapt@dell:~$ proxychains curl https://example.com
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.13
[proxychains] Strict chain  ...  127.0.0.1:3128  ...  93.184.216.34:443  ...  OK
<!doctype html>
<html>
...
</html>
bapt@dell:~$ 

I can confirm that the problem comes from proxychains because the squid proxy works correctly without proxychains if I set the http_proxy and https_proxy shell variables:

bapt@dell:~$ export http_proxy=http://localhost:3128
bapt@dell:~$ export https_proxy=http://localhost:3128
bapt@dell:~$ curl http://example.com
<!doctype html>
<html>
...
</html>
bapt@dell:~$ curl https://example.com
<!doctype html>
<html>
...
</html>
bapt@dell:~$ 

I reproduced the problem when using Firefox with proxychains also. It worked correctly on Firefox when I did not use proxychains and directly configured Firefox preferences to use the proxy. When using proxychains with another HTTP proxy like Privoxy instead of squid, everything worked correctly for HTTP and HTTPS requests. So it looks like proxychains has an issue when using squid proxy.

By the way, I recently reported another issue on the original proxychains repository but I did not get a reply yet: https://github.com/haad/proxychains/issues/80

[rofl0r]

please provide a pcap for the case that fails (using wireshark or tcpdump).

... original proxychains repository ...

that repo is not original at all, it's an unmaintained copy of this repo from about 4 years ago

[baptx]

@rofl0r I prefer to avoid sharing my IP address publicly but I checked Wireshark when doing the curl request and there are only DNS requests made, nothing else so it looks like no data is sent compared to the HTTPS request where I can see several TCP requests. Can't you reproduce the problem by using squid proxy? (it fails with default configuration)

[rofl0r]

according to your previous log, your proxy runs on localhost.

[proxychains] Strict chain  ...  127.0.0.1:3128

so you already shared your IP address publicly, and it's the same everybody else uses. for the record, i'd assume you'd sniff on the lo interface. so you say, that there's zero tcp traffic between proxychains and the proxy? that sounds real odd.

[baptx]

@rofl0r I was sniffing on eth1 and now when I try on lo interface, I can see TCP requests and an HTTP 403 forbidden response from my local squid proxy server. I reproduced the problem without needing an Internet connection on my local Apache web server, you will find the zipped pcapng file from Wireshark attached.

Here is the command I used for the test:

bapt@dell:~$ proxychains curl http://localhost
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.13
[proxychains] Strict chain  ...  127.0.0.1:3128  ...  127.0.0.1:80 <--denied
curl: (7) Couldn't connect to server
bapt@dell:~$ 

curl_proxychains_squid_denied_unencrypted_http.zip

I did these tests also with my local web server:

• without proxychains, the HTTP request works
• with proxychains doing an HTTPS, it works (by allowing self-signed certificates with curl -k)
• by exporting the shell variables http_proxy and https_proxy to use the squid proxy without proxychains, it works for HTTP and HTTPS requests

[rofl0r]

thanks. looks like your squid is configured to not allow CONNECT requests to standard HTTP ports...

[baptx]

@rofl0r Thanks for your help, I used the default configuration of squid. In fact I have to use the squid proxy server of a company where I don't have control over the configuration and I reproduced the problem on my local squid proxy. So CONNECT requests are only used by proxychains and not when using http_proxy / https_proxy shell variables or configuring Firefox preferences to use a proxy server? Is there a way to make proxychains work when we don't have control over the squid configuration?

[rofl0r]

theoretically one could add an option that makes it so that when the connect target is port 80, and the last proxy in the chain is a http proxy, the final connection is established via http-proxy-fu, instead of CONNECT. so you see, a lot of special cases.

i personally would try to lobby the guys from squid to remove this artificial restriction of a generic mechanism (CONNECT) just like i did with tinyproxy: https://github.com/tinyproxy/tinyproxy/pull/117

[baptx]

I managed to fix the problem on my local squid proxy by commenting http_access deny CONNECT !SSL_ports in /etc/squid/squid.conf like explained by other people who had the problem: https://stackoverflow.com/questions/10895711/squid-proxy-howto-allow-tcp-connect-getting-tcp-denial-400-with-err-invalid We could indeed tell the squid developers to disable this default configuration, do you want to tell them? Otherwise I could do it later but you may have better arguments if they ask questions. By the way, I am not sure if I understood your first sentence correctly, does it mean that we could make a change in proxychains so it will work with the default squid configuration? This would be useful if squid developers don't want to make a change and even if they agree for a fix, it would take a while until all proxy servers in the world use the updated version.

[rofl0r]

Otherwise I could do it later

please go ahead

does it mean that we could make a change in proxychains so it will work with the default squid configuration

what i meant to say is that it's possible to implement it, so if someone would provide a cleanly done PR for a new config item http_endpoint_ports or something alone that line, i would consider merging it.

[baptx]

Should I also copy the other issue I reported on the old repository https://github.com/haad/proxychains/issues/80 to this one?

[rofl0r]

can't hurt

[baptx]

I noticed there is already an issue for this: https://github.com/rofl0r/proxychains-ng/issues/25 Maybe you can reopen the issue so it will be more visible as a feature request if someone wants to contribute?

[rofl0r]

that's a non-issue and i'm not interested in "fixing" it, because the fix is already here: https://github.com/rofl0r/proxychains-ng/issues/246#issuecomment-401019706

i guess this can be closed now, right ?

[baptx]

You can leave my issue open so people interested can see it with the open filter and make a pull request.

[gellanyhassan0]

i have same issue

proxychains curl https://example.com ProxyChains-3.1 (http://proxychains.sf.net) |DNS-request| example.com |D-chain|-<>-185.2.100.85:42292-<--timeout |D-chain|-<>-174.64.199.82:4145-<><>-4.2.2.2:53-<--timeout |D-chain|-<>-174.64.199.82:4145-<><>-4.2.2.2:53-<--timeout |D-chain|-<>-174.64.199.82:4145-<><>-4.2.2.2:53-<--timeout |DNS-response|: example.com does not exist curl: (6) Could not resolve host: example.com

[rofl0r]

ProxyChains-3.1 (http://proxychains.sf.net/)

proxychains 3.1 isn't supported. use proxychains-ng instead.