ngx_http_proxy_connect_module
ngx_http_proxy_connect_module copied to clipboard
chobits
nginx returns 400 bad request when receiving CONNECT request
Hi,
After installing dynamic modules, nginx can start without error. however it does process any proxy connect request. (http works fine, https connect does not work and 400 BAD REQUEST returned)
I am running nginx plus on 1.17.6 (i make the module .so with OSS version and put it into plus module folder). Is it not compatible with latest nginx version? Is there a way I can troubleshoot? Thank you.
[root@localhost conf.d]# nginx -v nginx version: nginx/1.17.6 (nginx-plus-r20)
[root@localhost conf.d]# cat ep.conf server { listen 8080;
# dns resolver used by forward proxying
resolver 8.8.8.8;
# forward proxy for CONNECT request
proxy_connect ;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
[root@localhost conf.d]# tail /var/log/nginx/access.log 10.1.10.153 - - [31/Dec/2019:15:24:16 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:41 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:42 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:42 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:42 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:43 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:43 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:43 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:44 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-" 10.1.10.153 - - [31/Dec/2019:15:26:44 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
[root@localhost ~]# curl https://github -v --proxy 10.1.10.152:8080
- About to connect() to proxy 10.1.10.152 port 8080 (#0)
- Trying 10.1.10.152...
- Connected to 10.1.10.152 (10.1.10.152) port 8080 (#0)
- Establish HTTP proxy tunnel to github:443
CONNECT github:443 HTTP/1.1 Host: github:443 User-Agent: curl/7.29.0 Proxy-Connection: Keep-Alive
< HTTP/1.1 400 Bad Request < Server: nginx/1.17.6 < Date: Tue, 31 Dec 2019 07:24:16 GMT < Content-Type: text/html < Content-Length: 157 < Connection: close <
- Received HTTP code 400 from proxy after CONNECT
- Connection #0 to host 10.1.10.152 left intact curl: (56) Received HTTP code 400 from proxy after CONNECT
thanks for the response! I tried https://github.com and got same error. The same error i will see if this module is not installed at all.
i think this need patch the http core module which instructed by the installation steps.
I am having the same issue, but not with dynamic module. I've built it with the patch and the installation steps with nginx 1.14 and i still receive the same error. Http works, getting 400 error for https.
Debian 11 https proxy failed too:
nginx -V
nginx version: nginx/1.18.0 built with OpenSSL 1.1.1g 21 Apr 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/root/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_geoip_module=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-headers-more-filter --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-auth-pam --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-cache-purge --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-dav-ext --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-ndk --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-echo --add-dynamic-module=/root/ngx_http_proxy_connect_module --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-fancyindex --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-geoip2 --add-dynamic-module=/root/nginx-1.18.0/debian/modules/nchan --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-lua --add-dynamic-module=/root/nginx-1.18.0/debian/modules/rtmp --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-uploadprogress --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-upstream-fair --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-subs-filter
- Establish HTTP proxy tunnel to google.com:80
CONNECT google.com:80 HTTP/1.1 Host: google.com:80 User-Agent: curl/7.72.0 Proxy-Connection: Keep-Alive
-
TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-
TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-
old SSL session ID is stale, removing < HTTP/1.1 400 Bad Request HTTP/1.1 400 Bad Request < Server: nginx/1.18.0 Server: nginx/1.18.0 < Date: Sat, 05 Sep 2020 06:21:48 GMT Date: Sat, 05 Sep 2020 06:21:48 GMT < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < Content-Length: 157 Content-Length: 157 < Connection: close Connection: close <
-
Received HTTP code 400 from proxy after CONNECT
-
CONNECT phase completed!
-
Closing connection 0 curl: (56) Received HTTP code 400 from proxy after CONNECT
curl --version
curl 7.72.0 (x86_64-pc-linux-gnu) libcurl/7.72.0 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.8.0 nghttp2/1.41.0 librtmp/2.3 Release-Date: 2020-08-19 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
use nginx 1.16.1 work normal. i just do some test,i think 1.16.1 enough for me.
same error 400 in version 1.19.9 and works in version 1.16.1
version
nginx -V
nginx version: nginx/1.19.9
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-debug --with-http_stub_status_module --with-http_ssl_module --add-module=ngx_http_proxy_connect_module
debug log
116.236.192.106 - - [01/Apr/2021:13:03:59 +0800] "CONNECT www.baidu.com:443 HTTP/1.1" 400 157 "-" "-"
2021/04/01 13:03:59 [debug] 5971#0: accept on 0.0.0.0:7777, ready: 0
2021/04/01 13:03:59 [debug] 5971#0: posix_memalign: 00687630:256 @16
2021/04/01 13:03:59 [debug] 5971#0: *8 accept: 116.236.192.106:61686 fd:3
2021/04/01 13:03:59 [debug] 5971#0: *8 event timer add: 3: 60000:993243
2021/04/01 13:03:59 [debug] 5971#0: *8 reusable connection: 1
2021/04/01 13:03:59 [debug] 5971#0: *8 epoll add event: fd:3 op:1 ev:80002001
2021/04/01 13:03:59 [debug] 5971#0: *8 http wait request handler
2021/04/01 13:03:59 [debug] 5971#0: *8 malloc: 00687BF0:1024
2021/04/01 13:03:59 [debug] 5971#0: *8 recv: eof:0, avail:-1
2021/04/01 13:03:59 [debug] 5971#0: *8 recv: fd:3 118 of 1024
2021/04/01 13:03:59 [debug] 5971#0: *8 reusable connection: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 posix_memalign: 006A5F20:4096 @16
2021/04/01 13:03:59 [debug] 5971#0: *8 http process request line
2021/04/01 13:03:59 [info] 5971#0: *8 client sent invalid request while reading client request line, client: 116.236.192.106, server: , request: "CONNECT www.baidu.com:443 HTTP/1.1"
2021/04/01 13:03:59 [debug] 5971#0: *8 http finalize request: 400, "?" a:1, c:1
2021/04/01 13:03:59 [debug] 5971#0: *8 event timer del: 3: 993243
2021/04/01 13:03:59 [debug] 5971#0: *8 http special response: 400, "?"
2021/04/01 13:03:59 [debug] 5971#0: *8 http set discard body
2021/04/01 13:03:59 [debug] 5971#0: *8 HTTP/1.1 400 Bad Request
Server: nginx/1.19.9
Date: Thu, 01 Apr 2021 05:03:59 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
2021/04/01 13:03:59 [debug] 5971#0: *8 write new buf t:1 f:0 006A6630, pos 006A6630, size: 152 file: 0, size: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 http write filter: l:0 f:0 s:152
2021/04/01 13:03:59 [debug] 5971#0: *8 http output filter "?"
2021/04/01 13:03:59 [debug] 5971#0: *8 http copy filter: "?"
2021/04/01 13:03:59 [debug] 5971#0: *8 http postpone filter "?" 006A67B0
2021/04/01 13:03:59 [debug] 5971#0: *8 write old buf t:1 f:0 006A6630, pos 006A6630, size: 152 file: 0, size: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 write new buf t:0 f:0 00000000, pos 004F7EE4, size: 104 file: 0, size: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 write new buf t:0 f:0 00000000, pos 004F6E90, size: 53 file: 0, size: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 http write filter: l:1 f:0 s:309
2021/04/01 13:03:59 [debug] 5971#0: *8 http write filter limit 0
2021/04/01 13:03:59 [debug] 5971#0: *8 writev: 309 of 309
2021/04/01 13:03:59 [debug] 5971#0: *8 http write filter 00000000
2021/04/01 13:03:59 [debug] 5971#0: *8 http copy filter: 0 "?"
2021/04/01 13:03:59 [debug] 5971#0: *8 http finalize request: 0, "?" a:1, c:1
2021/04/01 13:03:59 [debug] 5971#0: *8 reusable connection: 1
2021/04/01 13:03:59 [debug] 5971#0: *8 event timer add: 3: 5000:938243
2021/04/01 13:03:59 [debug] 5971#0: *8 http lingering close handler
2021/04/01 13:03:59 [debug] 5971#0: *8 recv: eof:1, avail:-1
2021/04/01 13:03:59 [debug] 5971#0: *8 recv: fd:3 -1 of 4096
2021/04/01 13:03:59 [info] 5971#0: *8 recv() failed (104: Connection reset by peer) while reading client request line, client: 116.236.192.106, server: , request: "CONNECT www.baidu.com:443 HTTP/1.1"
2021/04/01 13:03:59 [debug] 5971#0: *8 lingering read: -1
2021/04/01 13:03:59 [debug] 5971#0: *8 http request count:1 blk:0
2021/04/01 13:03:59 [debug] 5971#0: *8 http close request
2021/04/01 13:03:59 [debug] 5971#0: *8 http log handler
2021/04/01 13:03:59 [debug] 5971#0: *8 free: 006A5F20, unused: 1721
2021/04/01 13:03:59 [debug] 5971#0: *8 close http connection: 3
2021/04/01 13:03:59 [debug] 5971#0: *8 event timer del: 3: 938243
2021/04/01 13:03:59 [debug] 5971#0: *8 reusable connection: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 free: 00687BF0
2021/04/01 13:03:59 [debug] 5971#0: *8 free: 00687630, unused: 8
test @hala21 nginx/1.16.1
nginx -V
nginx version: nginx/1.16.1
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
configure arguments: --add-module=../ngx_http_proxy_connect_module
it works
I had the same problems, I was using a multi-build docker container.
In the end this worked:
FROM nginx:1.16.1-alpine
ENV NGINX_VERSION 1.16.1
# Download sources
# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
RUN apk update && apk upgrade && \
apk add --no-cache --virtual .build-deps \
gcc \
libc-dev \
make \
openssl-dev \
pcre-dev \
zlib-dev \
linux-headers \
curl \
gnupg \
libxslt-dev \
gd-dev \
geoip-dev \
patch \
bash \
git \
openssh
RUN wget "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O nginx.tar.gz
RUN git clone "https://github.com/chobits/ngx_http_proxy_connect_module"
RUN tar -zxC / -f nginx.tar.gz && \
cd /nginx-$NGINX_VERSION && \
patch -p1 < /ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_101504.patch && \
./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-perl_modules_path=/usr/lib/perl5/vendor_perl \
--user=nginx \
--group=nginx \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--add-dynamic-module=/ngx_http_proxy_connect_module && \
make && make install
/usr/lib/nginx/modules/ngx_http_proxy_connect_module.so
COPY nginx.conf /etc/nginx/nginx.conf
COPY default.conf /etc/nginx/conf.d/default.conf
COPY index.html /usr/share/nginx/html/index.html
In the multi-build docker container, the --add-dynamic-module switch was not on the final nginx install config parameters (you can see from running docker exec nginx nginx -V), and even though I was calling load_module in the nginx.conf, it still wasn't invoking it.
When I switched to a single build like the one above it worked.
UPDATE: This way also works with nginx v1.19.3, just change the patch to be proxy_connect_rewrite_1018.patch
Could anyone share an example of docker-composer.yml for using nginx with this module ? And could add this instructions into documentation (installation part)
Hi all, the issue 400 bad request replied from your nginx means that this module is not installed into your nginx binary.
If you compile a standalone nginx with right patch( to nginx source core) and module source, then you use this standalone nginx binary to start. It will work as expected.
If you already have a nginx binary in your server without this module installed, although you compiled this module as dynamic module(.so), it will not work with original nginx binary, because the original nginx binary without patch cannot handle CONNECT request ( then it will reply 400 bad request). The right way is as following:
1. patch nginx source core with right patch(in this module patch/ directory)
2. recompile nginx source core with this module (static compile --add-module or dynamic compile --add-dynamic-module is ok)
3. stop your old nginx (make sure master and workers stopped)
4. replace old nginx binary with new nginx binary (if you compile this module dynamically, also copy module .so file to right .so directory)
5. edit nginx configuration file with proxy_module directive
6. start nginx with new nginx binary.
I wanted to answer this question at first, but when I answered other similar questions, I thought I had answered this question then closed this page :(
Issue locked and closed. If you still have the similar problem, please file a new issue.