ngx_http_proxy_connect_module

ngx_http_proxy_connect_module copied to clipboard

Hi! :) Is it possible to create Nginx forward proxy server, which will forward all the traffic from client to another commercial proxy server and all the traffic from the commercial proxy server back to the client?

Client PC <--> My Nginx Proxy <--> Commercial HTTP Proxy <--> Google Server

It work well for HTTP web pages with config:

worker_processes auto;

events {
  worker_connections 1024;
}

http {
  include mime.types;

  server {
    listen 8080;

    access_log /dev/stdout;
    error_log  /dev/stderr;

    resolver 1.1.1.1 ipv6=off;

    proxy_connect;
    proxy_connect_allow           443 563;
    proxy_connect_connect_timeout 10s;
    proxy_connect_read_timeout    10s;
    proxy_connect_send_timeout    10s;

    location / {
      proxy_http_version 1.1;
      proxy_set_header Host $host;

      proxy_pass http://195.191.99.119:45740;
    }
  }
}

where http://195.191.99.119:45740 is my commercial proxy.

But it is not working for HTTPS web pages (https://www.whatismyip.com/ shows my real IP). How can i fix it? Thank you for your great work and future useful answer!

It work well for HTTP web pages with config:

Yeah, the HTTP( not HTTPS) proxying case works as expected. It only uses original nginx http proxy module, this module(proxy_connect) does not work for http proxy case.

But it is not working for HTTPS web pages (https://www.whatismyip.com/ shows my real IP). How can i fix it?

Because I dont know how you configured the proxy method of your client pc, my answer may not meet your expectations.

If you configured your client PC with normal HTTPS proxy method, for example, your browser(maybe chrome) -> settings -> https proxy -> My Nginx Proxy IP & PORT. Then you browsed https://www.whatismyip.com/, the data flow will be as following.

`1.  established HTTP CONNECT tunnel
client PC (chrome) --> [CONNECT request] --> My Nginx Proxy (proxy_connect) -- [TCP connection] ---> www.whatismyip.com

2. real data flow( https request) proxying
client PC(chrome) -- [HTTPS request for www.whatismyip.com]--> My nginx (proxy_connect) --> [HTTPS request for www.whatismyip.com] ---> www.whatismyip.com

The data flow is similar to this example: https://github.com/chobits/ngx_http_proxy_connect_module#example-for-curl

In this case, the data flow will not be proxied to Commercial HTTP Proxy. Because proxy_conenct(my nginx) has proxied the data to dest ip/host provided by client PC.

If you want My nginx to force http TUNNEL to your Commercial HTTP Proxy, you can specified backend IP address via this directive: https://github.com/chobits/ngx_http_proxy_connect_module#proxy_connect_address

proxy_connect_address <Commercial HTTP Proxy IP>:<Commercial HTTP Proxy PORT>;

You should know that the HTTPS request may fail although you force the data flow to be proxied to your commerial HTTP proxy. Because normal browser on client PC will do some SSL handshake security checking with commerial HTTP proxy.

closing it , feel free to reopen if you still have this issue

If you want My nginx to force http TUNNEL to your Commercial HTTP Proxy, you can specified backend IP address via this directive: https://github.com/chobits/ngx_http_proxy_connect_module#proxy_connect_address

proxy_connect_address <Commercial HTTP Proxy IP>:<Commercial HTTP Proxy PORT>;

You should know that the HTTPS request may fail although you force the data flow to be proxied to your commerial HTTP proxy. Because normal browser on client PC will do some SSL handshake security checking with commerial HTTP proxy.

I don't think this is correct. When ssl is used, nginx connect module should copy all headers without proxy authorization header from the client connection, then try connecting to upstream proxy and write copied headers from client connection there, then parse back the response and return it unmodified, this is how is implemented in squid.

hi @deba12

If you want My nginx to force http TUNNEL to your Commercial HTTP Proxy, you can specified backend IP address via this directive: https://github.com/chobits/ngx_http_proxy_connect_module#proxy_connect_address

proxy_connect_address <Commercial HTTP Proxy IP>:<Commercial HTTP Proxy PORT>;

You should know that the HTTPS request may fail although you force the data flow to be proxied to your commerial HTTP proxy. Because normal browser on client PC will do some SSL handshake security checking with commerial HTTP proxy.

I don't think this is correct. When ssl is used, nginx connect module should copy all headers without proxy authorization header from the client connection, then try connecting to upstream proxy and write copied headers from client connection there, then parse back the response and return it unmodified, this is how is implemented in squid.

Yes, this is what proxy_connect module does, but only in the second case as following,

There are 2 kinds of data flow handled by nginx original proxy module and my proxy_connect module respectively:

1. HTTP / HTTPs request ( not CONNECT method), these data are handled by nginx core module( proxy module + upstream module) as what you said for squid. These data are not handled by proxy_connect module. It means you dont need to build this proxy_connect module into nginx. --- nginx proxy module
2. all data in one tcp onnection to nginx (proxy_connect) module: the first request is CONNECT method http request, and Subsequent data in any format (ususally https requests). proxy connect module doesnt parse the subsequent data, just copying the raw data flow to backend and transfering received data from backend to client. --- proxy_connect module