ngx_http_proxy_connect_module
ngx_http_proxy_connect_module copied to clipboard
chobits
Unable to restrict the domain name of forward proxy
0. Before Your ASK
- Try to find an answer by reading a FAQ.
Ⅰ. Issue Description
server {
listen 3002;
server_name sms.tencentcloudapi.com;
# dns resolver used by forward proxying
resolver 8.8.8.8;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass $scheme://sms.tencentcloudapi.com$request_uri;
# proxy_set_header Host sms.tencentcloudapi.com;
}
}
Ⅱ. Describe what happened
Ⅲ. Describe what you expected to happen
Proxies can be restricted normally
Ⅳ. How to reproduce it (as minimally and precisely as possible)
V. Anything else we need to know?
None
VI. Environment:
Nginx 1.19.2
Proxies can be restricted normally
It is as expected that proxied data cannot be restricted via domain name. Note that we have no method to parse the proxied data in CONNECT tunnel.
Many people have asked why or how to parse, hijack, and intercept proxy data. This is practically impossible to achieve. Because the proxied data can theoretically be in any forml; in fact, the vast majority of data is ssl encrypted.
The only data you can parse is the CONNECT request before the CONNECT tunnel is established.
You can check this request as following( note that I dont test the script, just for reference.
set $found "";
if ($request_method = "CONNECT") {
set $found "1"
}
if ($connect_host = "xx.com") {
set $found "2";
}
if ($found = "12") {
return 403;
}
restrict domain example
use SNI
# CONNECT HOST
map $host $tls_proxy_allow_url_flag {
default 0;
~^([\w|-]+?)\.googlesource\.com$ 1;
~^([\w|-]+?)\.googleapis\.com$ 1;
~^chrome-infra-packages\.appspot\.com$ 1;
}
server {
listen 443;
server_name your-domain.com;
ssl_certificate /tls/wildcard.your-domain.com.fullchain.pem;
ssl_certificate_key /tls/wildcard.your-domain.com.key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# dns resolver used by forward proxying
resolver 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 8.8.8.8 8.8.4.4 ;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
if ( $tls_proxy_allow_url_flag != 1) {
return 403 '{"status":"403","result":"no allow","message":"403"}';
}
location / {
charset utf-8;
default_type text/plain;
return 200 'yeah 😁😄😜😋🤗😅😇🥰🥳';
}
}
Think it resolved. Feel free to reopen it if you still have same issue. Open a new issue if you have any other problem.