ngx_http_proxy_connect_module icon indicating copy to clipboard operation
ngx_http_proxy_connect_module copied to clipboard
verified publisher icon chobits

Proxy HTTPS CONNECT

Open UzverNumber47 opened this issue 2 years ago • 2 comments

If I understand correctly, right now if you configure server like this:

    listen       8443 ssl;
    server_name  localhost;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
    ssl_certificate     certificate.crt;
    ssl_certificate_key private.key;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    resolver 8.8.8.8;

    ### connect tunnel
    proxy_connect;
    proxy_connect_allow            443 563;
    proxy_connect_connect_timeout  10s;
    proxy_connect_read_timeout     10s;
    proxy_connect_send_timeout     10s;

    location / {
        proxy_set_header Host $host;
        proxy_pass https://$host;
    }

Nginx will still make an httpP CONNECT request to the target server. But if the target server like firestore.googleapis.com:443 expects an httpS CONNECT request it will result in client sent plain HTTP request to HTTPS port while reading client request headers.

The documentation says that everything should be fine if I use --proxy-insecure for curl. And it really helps and the connection establishes.

But I don't have this --proxy-insecure option in my Android app. All I can configure there ishttps.proxyHost and https.proxyPort.

I am not good at this stuff. So please correct me if I am mistaken

UzverNumber47 avatar Oct 17 '23 14:10 UzverNumber47

server { listen 8443 ssl; server_name localhost;

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate     certificate.crt;
ssl_certificate_key private.key;
ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;

resolver 8.8.8.8;

location / {
    proxy_set_header Host $host;
    proxy_pass https://$host;
    proxy_ssl_server_name on;  # This line is crucial for HTTPS CONNECT
    proxy_ssl_verify off;      # Disable SSL verification for upstream server
    proxy_ssl_name $host;      # Set the Server Name Indication (SNI) to the host
}

location /proxy-tunnel {  # Add a location for handling CONNECT requests
    proxy_pass https://$http_host$request_uri;
    proxy_set_header Host $host;
    proxy_ssl_server_name on;  # This line is crucial for HTTPS CONNECT
    proxy_ssl_verify off;      # Disable SSL verification for upstream server
}

}

ljluestc avatar Nov 18 '23 21:11 ljluestc

But I don't have this --proxy-insecure option in my Android app. All I can configure there ishttps.proxyHost and https.proxyPort.

I knew your problem, but I'm also not familar with android ecosystem, thus I could only recommend you recompile curl program in your android env.

chobits avatar Dec 11 '23 05:12 chobits