chobits / ngx_http_proxy_connect_module Goto Github PK

A forward proxy module for CONNECT request handling

License: BSD 2-Clause "Simplified" License

C 56.76% Perl 42.32% Shell 0.92%

ngx_http_proxy_connect_module's Introduction

name

This module provides support for the CONNECT method request. This method is mainly used to tunnel SSL requests through proxy servers.

name
Example
Install
Test Suite
Error Log
Directive
Variables
Compatibility
FAQ
Known Issues
See Also
Author
License

Example

Configuration Example

server {
    listen                         3128;

    # dns resolver used by forward proxying
    resolver                       8.8.8.8;

    # forward proxy for CONNECT requests
    proxy_connect;
    proxy_connect_allow            443 563;
    proxy_connect_connect_timeout  10s;
    proxy_connect_data_timeout     10s;

    # defined by yourself for non-CONNECT requests
    # Example: reverse proxy for non-CONNECT requests
    location / {
        proxy_pass http://$host;
        proxy_set_header Host $host;
    }
}

The resolver directive MUST be configured globally in server {} block (or http {} block).
Any location {} block, upstream {} block and any other standard backend/upstream directives, such as proxy_pass, do not impact the functionality of this module. (The proxy_connect module only executes the logic for requests that use the CONNECT method and that have a data flow under this tunnel.)
- If you dont want to handle non-CONNECT requests, you can modify location {} block as following:
```
location / {
    return 403 "Non-CONNECT requests are forbidden";
}
```

Example for curl

With above configuration(configuration example ), you can get any https website via HTTP CONNECT tunnel. A simple test with command curl is as following:

$ curl https://github.com/ -v -x 127.0.0.1:3128
*   Trying 127.0.0.1...                                           -.
* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)                | curl creates TCP connection with nginx (with proxy_connect module).
* Establish HTTP proxy tunnel to github.com:443                   -'
> CONNECT github.com:443 HTTP/1.1                                 -.
> Host: github.com:443                                         (1) | curl sends CONNECT request to create tunnel.
> User-Agent: curl/7.43.0                                          |
> Proxy-Connection: Keep-Alive                                    -'
>
< HTTP/1.0 200 Connection Established                             .- nginx replies 200 that tunnel is established.
< Proxy-agent: nginx                                           (2)|  (The client is now being proxied to the remote host. Any data sent
<                                                                 '-  to nginx is now forwarded, unmodified, to the remote host)

* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  -.
* Server certificate: github.com                                   |
* Server certificate: DigiCert SHA2 Extended Validation Server CA  | curl sends "https://github.com" request via tunnel,
* Server certificate: DigiCert High Assurance EV Root CA           | proxy_connect module will proxy data to remote host (github.com).
> GET / HTTP/1.1                                                   |
> Host: github.com                                             (3) |
> User-Agent: curl/7.43.0                                          |
> Accept: */*                                                     -'
>
< HTTP/1.1 200 OK                                                 .-
< Date: Fri, 11 Aug 2017 04:13:57 GMT                             |
< Content-Type: text/html; charset=utf-8                          |  Any data received from remote host will be sent to client
< Transfer-Encoding: chunked                                      |  by proxy_connect module.
< Server: GitHub.com                                           (4)|
< Status: 200 OK                                                  |
< Cache-Control: no-cache                                         |
< Vary: X-PJAX                                                    |
...                                                               |
... <other response headers & response body> ...                  |
...                                                               '-

The sequence diagram of above example is as following:

  curl                     nginx (proxy_connect)            github.com
    |                             |                          |
(1) |-- CONNECT github.com:443 -->|                          |
    |                             |                          |
    |                             |----[ TCP connection ]--->|
    |                             |                          |
(2) |<- HTTP/1.1 200           ---|                          |
    |   Connection Established    |                          |
    |                             |                          |
    |                                                        |
    ========= CONNECT tunnel has been established. ===========
    |                                                        |
    |                             |                          |
    |                             |                          |
    |   [ SSL stream       ]      |                          |
(3) |---[ GET / HTTP/1.1   ]----->|   [ SSL stream       ]   |
    |   [ Host: github.com ]      |---[ GET / HTTP/1.1   ]-->.
    |                             |   [ Host: github.com ]   |
    |                             |                          |
    |                             |                          |
    |                             |                          |
    |                             |   [ SSL stream       ]   |
    |   [ SSL stream       ]      |<--[ HTTP/1.1 200 OK  ]---'
(4) |<--[ HTTP/1.1 200 OK  ]------|   [ < html page >    ]   |
    |   [ < html page >    ]      |                          |
    |                             |                          |

configuration example for CONNECT request in HTTPS

server {
    listen                         3128 ssl;

    # self signed certificate generated via openssl command
    ssl_certificate_key            /path/to/server.key;
    ssl_certificate                /path/to/server.crt;
    ssl_session_cache              shared:SSL:1m;

    # dns resolver used by forward proxying
    resolver                       8.8.8.8;

    # forward proxy for CONNECT request
    proxy_connect;
    proxy_connect_allow            443 563;
    proxy_connect_connect_timeout  10s;
    proxy_connect_data_timeout     10s;

    # defined by yourself for non-CONNECT request
    # Example: reverse proxy for non-CONNECT requests
    location / {
        proxy_pass http://$host;
        proxy_set_header Host $host;
    }
}

example for curl (CONNECT request in https)

With above configuration(configuration example for CONNECT request in https), you can get any https website via HTTPS CONNECT tunnel(CONNECT request in https). A simple test with command curl is as following:

Tips on using curl command:

-x https://... makes curl send CONNECT request in https.
--proxy-insecure disables ssl signature verification for ssl connection established with nginx proxy_connect server(https://localhost:3128), but it does not disable verification with proxied backend server(https://nginx.org in the example below).
- If you want to disable signature verfication with proxied backend server, you can use -k option.

output of curl command 👈

$ curl https://nginx.org/ -sv -o/dev/null -x https://localhost:3128 --proxy-insecure
*   Trying 127.0.0.1:3128...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3128 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [112 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [799 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Proxy certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Nov 25 08:36:38 2022 GMT
*  expire date: Nov 25 08:36:38 2023 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* allocate connect buffer!
* Establish HTTP proxy tunnel to nginx.org:443
} [5 bytes data]
> CONNECT nginx.org:443 HTTP/1.1
> Host: nginx.org:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
{ [5 bytes data]
< HTTP/1.1 200 Connection Established
< Proxy-agent: nginx
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CONNECT phase completed!
* CONNECT phase completed!
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [80 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2749 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=nginx.org
*  start date: Dec  9 15:29:31 2022 GMT
*  expire date: Mar  9 15:29:30 2023 GMT
*  subjectAltName: host "nginx.org" matched cert's "nginx.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
} [5 bytes data]
> GET / HTTP/1.1
> Host: nginx.org
> User-Agent: curl/7.68.0
> Accept: */*
>
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.21.5
< Date: Mon, 06 Mar 2023 06:05:24 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 7488
< Last-Modified: Tue, 28 Feb 2023 21:07:43 GMT
< Connection: keep-alive
< Keep-Alive: timeout=15
< ETag: "63fe6d1f-1d40"
< Accept-Ranges: bytes
<
{ [7488 bytes data]
* Connection #0 to host localhost left intact

Example for browser

You can configure your browser to use this nginx as PROXY server.

Google Chrome HTTPS PROXY SETTING: guide & config for how to configure this module working under SSL layer.

Example for Basic Authentication

We can do access control on CONNECT request using nginx auth basic module.
See this guide for more details.

Example for proxying WebSocket

Note that nginx has its own WebSocket reverse proxy module, which is is not limited to the CONNECT tunnel, see nginx.org doc: Nginx WebSocket proxying and nginx.com blog: NGINX as a WebSocket Proxy.
This module enables the WebSocket protocol to work over the CONNECT tunnel, see #267 (comment)

Install

Select patch

Select right patch for building:
All patch files have been included in patch/ directory of this module. You dont need to download the patch directly from web page.

nginx version	enable REWRITE phase	patch
1.4.x ~ 1.12.x	NO	proxy_connect.patch
1.4.x ~ 1.12.x	YES	proxy_connect_rewrite.patch
1.13.x ~ 1.14.x	NO	proxy_connect_1014.patch
1.13.x ~ 1.14.x	YES	proxy_connect_rewrite_1014.patch
1.15.2	YES	proxy_connect_rewrite_1015.patch
1.15.4 ~ 1.16.x	YES	proxy_connect_rewrite_101504.patch
1.17.x ~ 1.18.x	YES	proxy_connect_rewrite_1018.patch
1.19.x ~ 1.21.0	YES	proxy_connect_rewrite_1018.patch
1.21.1 ~ 1.22.x	YES	proxy_connect_rewrite_102101.patch
1.23.x ~ 1.24.0	YES	proxy_connect_rewrite_102101.patch
1.25.0 ~ 1.26.x	YES	proxy_connect_rewrite_102101.patch
1.27.1	YES	proxy_connect_rewrite_102101.patch

OpenResty version	enable REWRITE phase	patch
1.13.6	NO	proxy_connect_1014.patch
1.13.6	YES	proxy_connect_rewrite_1014.patch
1.15.8	YES	proxy_connect_rewrite_101504.patch
1.17.8	YES	proxy_connect_rewrite_1018.patch
1.19.3	YES	proxy_connect_rewrite_1018.patch
1.21.4	YES	proxy_connect_rewrite_102101.patch
1.25.3	YES	proxy_connect_rewrite_102101.patch

proxy_connect_<VERSION>.patch disables nginx REWRITE phase for CONNECT request by default, which means if, set, rewrite_by_lua and other REWRITE phase directives cannot be used.
proxy_connect_rewrite_<VERSION>.patch enables these REWRITE phase directives.

Build nginx

Build nginx with this module from source:

$ wget http://nginx.org/download/nginx-1.9.2.tar.gz
$ tar -xzvf nginx-1.9.2.tar.gz
$ cd nginx-1.9.2/
$ patch -p1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect.patch
$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module
$ make && make install

Build as a dynamic module

Starting from nginx 1.9.11, you can also compile this module as a dynamic module, by using the --add-dynamic-module=PATH option instead of --add-module=PATH on the ./configure command line.

$ wget http://nginx.org/download/nginx-1.9.12.tar.gz
$ tar -xzvf nginx-1.9.12.tar.gz
$ cd nginx-1.9.12/
$ patch -p1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect.patch
$ ./configure --add-dynamic-module=/path/to/ngx_http_proxy_connect_module
$ make && make install

And then you can explicitly load the module in your nginx.conf via the load_module directive, for example,

load_module /path/to/modules/ngx_http_proxy_connect_module.so;

❗ Note that the ngx_http_proxy_connect_module.so file MUST be loaded by nginx binary that is compiled with the .so file at the same time.

Build OpenResty

Build OpenResty with this module from source:

$ wget https://openresty.org/download/openresty-1.19.3.1.tar.gz
$ tar -zxvf openresty-1.19.3.1.tar.gz
$ cd openresty-1.19.3.1
$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module
$ patch -d build/nginx-1.19.3/ -p 1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_101504.patch
$ make && make install

Test Suite

To run the whole test suite:

$ hg clone http://hg.nginx.org/nginx-tests/

# If you use latest lua-nginx-module that needs lua-resty-core and
# lua-resty-lrucache, you should add "lua_package_path ...;" directive
# into nginx.conf of test cases. You can use the following command:
#
# $ export TEST_NGINX_GLOBALS_HTTP='lua_package_path "/path/to/nginx/lib/lua/?.lua;;";'

$ export TEST_NGINX_BINARY=/path/to/nginx/binary
$ prove -v -I /path/to/nginx-tests/lib /path/to/ngx_http_proxy_connect_module/t/

For the complete process of building and testing this module, see:
- workflow files: here
- runs from all workflows: here

Error Log

This module logs its own error message beginning with "proxy_connect:" string.
Some typical error logs are shown as following:

The proxy_connect module tries to establish tunnel connection with backend server, but the TCP connection timeout occurs.

2019/08/07 17:27:20 [error] 19257#0: *1 proxy_connect: upstream connect timed out (peer:216.58.200.4:443) while connecting to upstream, client: 127.0.0.1, server: , request: "CONNECT www.google.com:443 HTTP/1.1", host: "www.google.com:443"

Directive

proxy_connect

Syntax: proxy_connect
Default: none
Context: server

Enable "CONNECT" HTTP method support.

proxy_connect_allow

Syntax: proxy_connect_allow all | [port ...] | [port-range ...]
Default: 443 563
Context: server

This directive specifies a list of port numbers or ranges to which the proxy CONNECT method may connect.
By default, only the default https port (443) and the default snews port (563) are enabled.
Using this directive will override this default and allow connections to the listed ports only.

The value all will allow all ports to proxy.

The value port will allow specified port to proxy.

The value port-range will allow specified range of port to proxy, for example:

proxy_connect_allow 1000-2000 3000-4000; # allow range of port from 1000 to 2000, from 3000 to 4000.

proxy_connect_connect_timeout

Syntax: proxy_connect_connect_timeout time
Default: none
Context: server

Defines a timeout for establishing a connection with a proxied server.

proxy_connect_data_timeout

Syntax: proxy_connect_data_timeout time
Default: 60s
Context: server

Sets the timeout between two successive read or write operations on client or proxied server connections. If no data is transmitted within this time, the connection is closed.

proxy_connect_read_timeout

Syntax: proxy_connect_read_timeout time
Default: 60s
Context: server

Deprecated.

It has the same function as the directive proxy_connect_data_timeout for compatibility. You can configure only one of the directives (proxy_connect_data_timeout or proxy_connect_read_timeout).

proxy_connect_send_timeout

Syntax: proxy_connect_send_timeout time
Default: 60s
Context: server

Deprecated.

It has no function.

proxy_connect_address

Syntax: proxy_connect_address address | off
Default: none
Context: server

Specifiy an IP address of the proxied server. The address can contain variables.
The special value off is equal to none, which uses the IP address resolved from host name of CONNECT request line.

NOTE: If using set $<nginx variable> and proxy_connect_address $<nginx variable> together, you should use proxy_connect_rewrite.patch instead, see Install for more details.

proxy_connect_bind

Syntax: proxy_connect_bind address [transparent] | off
Default: none
Context: server

Makes outgoing connections to a proxied server originate from the specified local IP address with an optional port.
Parameter value can contain variables. The special value off is equal to none, which allows the system to auto-assign the local IP address and port.

The transparent parameter allows outgoing connections to a proxied server originate from a non-local IP address, for example, from a real IP address of a client:

proxy_connect_bind $remote_addr transparent;

In order for this parameter to work, it is usually necessary to run nginx worker processes with the superuser privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server.

NOTE: If using set $<nginx variable> and proxy_connect_bind $<nginx variable> together, you should use proxy_connect_rewrite.patch instead, see Install for more details.

proxy_connect_response

Syntax: proxy_connect_response CONNECT response
Default: HTTP/1.1 200 Connection Established\r\nProxy-agent: nginx\r\n\r\n
Context: server

Set the response of CONNECT request.

Note that it is only used for CONNECT request, it cannot modify the data flow over CONNECT tunnel.

For example:

proxy_connect_response "HTTP/1.1 200 Connection Established\r\nProxy-agent: nginx\r\nX-Proxy-Connected-Addr: $connect_addr\r\n\r\n";

The curl command test case with above config is as following:

$ curl https://github.com -sv -x localhost:3128
* Connected to localhost (127.0.0.1) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to github.com:443
> CONNECT github.com:443 HTTP/1.1
> Host: github.com:443
> User-Agent: curl/7.64.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established            --.
< Proxy-agent: nginx                               | custom CONNECT response
< X-Proxy-Connected-Addr: 13.229.188.59:443      --'
...

Variables

$connect_host

host name from CONNECT request line.

$connect_port

port from CONNECT request line.

$connect_addr

IP address and port of the remote host, e.g. "192.168.1.5:12345". IP address is resolved from host name of CONNECT request line.

$proxy_connect_connect_timeout

Get or set timeout of proxy_connect_connect_timeout directive.

For example:

# Set default value

proxy_connect_connect_timeout   10s;
proxy_connect_data_timeout      10s;

# Overlap default value

if ($host = "test.com") {
    set $proxy_connect_connect_timeout  "10ms";
    set $proxy_connect_data_timeout     "10ms";
}

$proxy_connect_data_timeout

Get or set a timeout of proxy_connect_data_timeout directive.

$proxy_connect_read_timeout

Deprecated. It still can get or set a timeout of proxy_connect_data_timeout directive for compatibility.

$proxy_connect_send_timeout

Deprecated. It has no function.

$proxy_connect_resolve_time

Keeps time spent on name resolving; the time is kept in seconds with millisecond resolution.

Value of "" means this module does not work on this request.
Value of "-" means name resolving failed.

$proxy_connect_connect_time

Keeps time spent on establishing a connection with the upstream server; the time is kept in seconds with millisecond resolution.

Value of "" means this module does not work on this request.
Value of "-" means name resolving or connecting failed.

$proxy_connect_first_byte_time

Keeps time to receive the first byte of data from the upstream server; the time is kept in seconds with millisecond resolution.

Value of "" means this module does not work on this request.
Value of "-" means name resolving, connecting or receving failed.

$proxy_connect_response

Get or set the response of CONNECT request.
The default response of CONNECT request is "HTTP/1.1 200 Connection Established\r\nProxy-agent: nginx\r\n\r\n".

Note that it is only used for CONNECT request, it cannot modify the data flow over CONNECT tunnel.

For example:

# modify default Proxy-agent header
set $proxy_connect_response "HTTP/1.1 200\r\nProxy-agent: nginx/1.19\r\n\r\n";

The variable value does not support nginx variables. You can use lua-nginx-module to construct string that contains nginx variable. For example:

# The CONNECT response may be "HTTP/1.1 200\r\nProxy-agent: nginx/1.19.6\r\n\r\n"

rewrite_by_lua '
    ngx.var.proxy_connect_response =
      string.format("HTTP/1.1 200\\r\\nProxy-agent: nginx/%s\\r\\n\\r\\n", ngx.var.nginx_version)
';

Also note that set or rewrite_by_lua* directive is run during the REWRITE phase, which is ahead of dns resolving phase. It cannot get right value of some variables, for example, $connect_addr value is nil. In such case, you should use proxy_connect_response directive instead.

Compatibility

Nginx Compatibility

The latest module is compatible with the following versions of nginx:

1.27.1 (mainline version of 1.27.x)
1.26.2 (version of 1.26.x)
1.24.0 (version of 1.24.x)
1.22.1 (version of 1.22.x)
1.20.2 (version of 1.20.x)
1.18.0 (version of 1.18.x)
1.16.1 (version of 1.16.x)
1.14.2 (version of 1.14.x)
1.12.1 (version of 1.12.x)
1.10.3 (version of 1.10.x)
1.8.1 (version of 1.8.x)
1.6.3 (version of 1.6.x)
1.4.7 (version of 1.4.x)

OpenResty Compatibility

The latest module is compatible with the following versions of OpenResty:

1.25.3 (version: 1.25.3.1)
1.21.4 (version: 1.21.4.3)
1.19.3 (version: 1.19.3.1)
1.17.8 (version: 1.17.8.2)
1.15.8 (version: 1.15.8.1)
1.13.6 (version: 1.13.6.2)

Tengine Compatibility

This module has been integrated into Tengine 2.3.0.

FAQ

See FAQ page.

Known Issues

In HTTP/2, the CONNECT method is not supported. It only supports the CONNECT method request in HTTP/1.x and HTTPS.

Author

Peng Qi: original author. He contributed this module to Tengine in this pull request.
Xiaochen Wang: current maintainer. Rebuild this module for nginx.

LICENSE

See LICENSE for details.

ngx_http_proxy_connect_module's People

Contributors

Stargazers

Watchers

Forkers

nginx-modules fschaefer wallacemu eagleusb fankeke cnsuhao wjc272008 erutan409 fast01 ixycoder ican2002 archoncap tai7sy quicksprout zhujunqi1 serargz cgy1992 jhzao82 chattama evan-xia lixufeng1992 shafengfeng juneman gitmount adslqa qiuyangsoft skyever guanglinlv yinjun622 kwanccc al-dailami stormning jeasonyoung 725137 zhanglei w9n phaxio jobfirst chennqqi guzhongzhi lynnpen caisen mody chenquanzhao bbharat3 vivek145 lyxsus anotherjin test137 shaunwarman tsdk lcl1995225 sudoconf cn-tingguo shutdownslz han4235 phixcn mehome shaveng star-it zc409 hlzha asherli0103 isunx zcw888 montross50 guojy8993 javawenxin venancius wuxiangdc kernal-gh hyw97m yunlives xiongjungit twfeng123 ghback lch0000 membphis jahoh fangxinmiao ruleless yokiy0828 marcb alenwon apengn gavintianyang x1957 bungle levonet jadeluo fzxcp3 yahanjunho txwdyzcb quirkyshop dearcy hhh-ws godhelpjun ylmrx creslinux jseveryday

ngx_http_proxy_connect_module's Issues

[TODO] patch updating: support nginx-1.13+

After nginx-1.13, the try_files phase has been replaced with PRECONTENT phase, which is implemented as try_files module.
Original proxy_connect.patch will skip try_files phase, this is unnecessary after nginx-1.13.

For details of removing try_files phases, see this nginx official hg commit log.

TODO: updated & added new patch for nginx-1.13+

ssl how to configure？

ssl how to configure？
my configuration does not work？

Forward incoming https based only on domain name

Can this module be used to forward requests coming from the internet? If so can you point me to an example of this setup. I do not care about caching or routing traffic coming out of my vms.

My setup is one vm running nginx with a public IP and multiple others running various combinations or web servers on other vms on internal IPs.

The the vms that need https are already handling their own https with letsencrypt or paid certs because they all had public IPs before. I only want the the vm running nginx to forward the traffic based on the domain name to the proper vm. I do not want to intercept the traffic and break the encryption. This is working for http, but it seems nginx cannot forward the https the way I want.

Is this module the right tool to use? I am most familiar with nginx which is why I am hesitant to use Squid, Apache Traffic Server, or similar.

Can it used as a https proxy to tunnel tcp?

I tried in ssl server block , but not succeed

请问windows下面的nginx如何打补丁 // EN: how to patch nginx on windows?

我这里需要做一个多端口多路由的正向代理，打算用nginx来操作；环境为windows；发现windows下面nginx无法正向代理https，但是没找到windows下面d的nginx如何使用这个patch文件的方法。请问windows下面如何对nginx打patch

How to compile as a dynamic module

I am using NGINX with dynamic modules and wanted to see how I could compile this module as a dynamic module instead of a static one.I tried the recommended way of compiling a dynamic module, found in this doc from NGINX: https://www.nginx.com/resources/wiki/extending/converting/
but your configure script does not seem to support the --add-dynamic-module argument.

sudo ./configure --add-dynamic-module=/home/ec2-user/ngx_http_proxy_connect_module-master/
./configure: error: invalid option "--add-dynamic-module=/home/ec2-user/ngx_http_proxy_connect_module-master/"

Rebuild NGINX 1.13.9 add module ngx_http_proxy_connect_module

Hi,
This pach solved my problem which nginx not support forward Proxy https.
But new problem occur. After rebuild i cant visit https form internet for reverse proxy .
Forward Proxy
Private network => intranet to Internet (http https)OK
Reverse Proxy => Internet to intranet (http OK) , but https is error

thanks a lot

#25769902144: *4 upstream timed out (116: Connection timed out)

--Reverse proxy


server {
listen 443 ssl;
server_name xxxx.com;
ssl_certificate xxxxx.pem;
ssl_certificate_key xxxxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

charset utf-8;
#charset koi8-r;

# access_log off;

location / {
index index.aspx index.html index.htm;
proxy_buffer_size 64k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;

client_max_body_size 100m;
# proxy_pass http://myServer;
proxy_pass http://xxxxx;

proxy_set_header Host "xxxxx";
}
}
--Forward Proxy
server {
listen 8889;
# dns resolver used by forward proxying
resolver 114.114.114.114 8.8.8.8;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 563 8889 3128;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;

large_client_header_buffers 4 16k;
client_max_body_size 300m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;

# forward proxy for non-CONNECT request
location ^~/proxy_path/ {
proxy_pass http://$host;
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}
}

[TODO] Variable timeout parameters

Currently proxy_connect_connect_timeout, proxy_connect_read_timeout and proxy_connect_send_timeout need to be hard coded in the nginx template, could you make them variable (usable with set)?

(oops, I realised that these are server block parameters which I think makes them ineligible to be variables? either way I'd still like for them to be variable on a per connection basis)

安装方法(./configure failure) //EN: How to install(./configure failure)

$ wget http://nginx.org/download/nginx-1.9.2.tar.gz
$ tar -xzvf nginx-1.9.2.tar.gz
$ cd nginx-1.9.2/
$ patch -p1 < /path/to/ngx_http_proxy_connect_module/proxy_connect.patch
$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module
安装提示
', needed by objs/nginx'. Stop.et objs/addon/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.o
make[1]: Leaving directory `/root/nginx/nginx-1.12.2'
make: *** [build] Error 2

multi-proxy // How to use two cascaded nginx servers to proxy traffic?

多级代理怎么用？比如二级二台 nginx 第一台nginx 仅做一个转发由第一台nginx 转发到第二台nginx 通过第二台nginx 连接外网

EN:
How to use two cascaded nginx servers to proxy traffic?
The first nginx proxies client's traffic to the second.
And the second nginx proxies traffic to the internet.

[TODO] added basic status information of this module

including following basic statistics (historical statistics):
- traffic
- new connection
also dump API for every connection realtime information

Caching proxied requests? // make nginx proxy_cache works as backend server

Would it be possible to cache proxy_connect responses in Nginx, using proxy_cache for example? Based on my limited understanding, it seems like this module tunnels directly to the destination and the proxied request is not handled by a normal Nginx location block, so the proxy_cache setting does not apply.

Error log: upstream timed out (110: Connection timed out) while connecting to upstream(proxy_connect)

I've configured proxy_connect with this forward proxy configuration https://gist.github.com/concreted/769bdc0a451d82f020523dfeca5829dc and it is proxying traffic as expected. I configured Chrome to use the proxy server with this config. However I see many instances of this error in the Nginx error.log:

2018/02/05 22:18:57 [error] 10#0: *55 upstream timed out (110: Connection timed out) while connecting to upstream(proxy_connect), client: 192.168.99.1, server: , request: "CONNECT i.imgur.com:443 HTTP/1.1", host: "i.imgur.com:443"

In access.log, there is a corresponding CONNECT request attempt to the host, in this case i.imgur.com:

192.168.99.1 - - [05/Feb/2018:22:24:32 +0000] "CONNECT i.imgur.com:443 HTTP/1.1" 000 1477 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) electron-quick-start/1.0.0 Chrome/58.0.3029.110 Electron/1.7.11 Safari/537.36"

What could be causing this error, and could it cause problems later? It seems like the CONNECT calls are always timing out, but the proxy is still returning the correct results to Chrome, and Chrome doesn't show any network errors.

transparent proxying is not supported on this platform

Hi at first thank you for this module.

I have an issue when attempting to forward the actual client IP-Adress to my proxied Application.
I use the following configuration to enable CONNECT proxying on my default server configuration:

proxy_connect;
proxy_connect_allow            25568 25570;
proxy_connect_connect_timeout  10s;
proxy_connect_read_timeout     10s;
proxy_connect_send_timeout     10s;
proxy_connect_bind $remote_addr transparent;

Whenever I add the proxy_connect_bind entry and do reload the config using nginx -s reload I get the following output:

nginx: [emerg] transparent proxying is not supported on this platform, ignored in /etc/nginx/sites-enabled/default:47

I am using: nginx version: nginx/1.6.2.

When I omit the "transparent" parameter from the proxy_connect_bind entry I get an internal Server error (500) response on the client side and the following output in my nginx error.log:

2018/09/04 15:53:57 [crit] 25341#0: *2287 bind([MY_IP]) failed (99: Cannot assign requested address) while connecting to upstream(proxy_connect), client: [MY_IP], server: [TARGET_URL], request: "CONNECT [TARGET_URL]:25568 HTTP/1.0"

Thanks in advance for any insights.

proxy_connect_allow all ports?

Hi, I'm using the module for FTP proxy, but it doesn't work because of the FTP passive mode. Would it be possible to enable the proxy_connect_allow option to accept all ports or range of ports (ex. 1000-2000)? Thank you.

I am using curl with the following options:

curl -p -k -v --globoff --ssl -u ${USERNAME}:${PASSWORD} \
     --disable-epsv \
     --proxy $PROXY \
     --connect-timeout 60 \
     --retry 60 \
     --retry-delay 5 \
     --retry-max-time 60 -T ${FILE} ftp://ftp.userscloud.com:21

Below is a sample output:

* Hostname was NOT found in DNS cache
*   Trying 10.10.10.1...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 10.10.10.1 (10.10.10.1) port 8888 (#0)
* Establish HTTP proxy tunnel to ftp.userscloud.com:21
* Server auth using Basic with user 'user'
> CONNECT ftp.userscloud.com:21 HTTP/1.1
> Host: ftp.userscloud.com:21
> User-Agent: curl/7.38.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection Established
< Proxy-agent: nginx
< 
* Proxy replied OK to CONNECT request
< 220 ProFTPD 1.3.4b Server (ftp.userscloud.com) [89.238.134.150]
> AUTH SSL
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< 234 AUTH SSL successful
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Request CERT (13):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
} [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* Server certificate:
* 	 subject: OU=Domain Control Validated; OU=EssentialSSL Wildcard; CN=*.userscloud.com
* 	 start date: 2015-07-01 00:00:00 GMT
* 	 expire date: 2017-07-09 23:59:59 GMT
* 	 issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* 	 SSL certificate verify result: certificate has expired (10), continuing anyway.
> USER user
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0< 331 Password required for user
> PASS password
< 230 User user logged in
> PBSZ 0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0< 200 PBSZ 0 successful
> PROT P
< 200 Protection set to Private
> PWD
< 257 "/" is the current directory
* Entry path is '/'
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0> PASV
* Connect data stream passively
* ftp_perform ends with SECONDARY: 0
< 227 Entering Passive Mode (89,238,134,150,150,119).
* Hostname was found in DNS cache
*   Trying 10.10.10.1...
* Connecting to 89.238.134.150 (10.10.10.1) port 8888
* Connected to 10.10.10.1 (10.10.10.1) port 8888 (#0)
* Connection to proxy confirmed
* Establish HTTP proxy tunnel to 89.238.134.150:38519
* Server auth using Basic with user 'user'
> CONNECT 89.238.134.150:38519 HTTP/1.1
> Host: 89.238.134.150:38519
> User-Agent: curl/7.38.0
> Proxy-Connection: Keep-Alive
> 
> TYPE I
< 200 Type set to I
> STOR file
  0     0    0     0    0     0      0      0 --:--:--  0:00:13 --:--:--     0* response reading failed
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
} [data not shown]
curl: (56) response reading failed

Configure ERROR

root@ubuntu1404:/var/tmp/nginx-1.4.6# patch -p1 < ../proxy_connect_rewrite.patch
patching file src/http/ngx_http_core_module.c
Hunk #1 succeeded at 970 (offset 48 lines).
Hunk #2 succeeded at 1211 (offset 46 lines).
patching file src/http/ngx_http_parse.c
Hunk #2 succeeded at 251 (offset -3 lines).
Hunk #3 succeeded at 279 (offset -3 lines).
Hunk #4 succeeded at 295 (offset -3 lines).
patching file src/http/ngx_http_request.c
Hunk #1 succeeded at 886 (offset -82 lines).
Hunk #2 succeeded at 1491 (offset -82 lines).
patching file src/http/ngx_http_request.h
Hunk #1 succeeded at 41 (offset -1 lines).
Hunk #2 succeeded at 401 (offset -3 lines).
patching file src/http/ngx_http_variables.c
Hunk #1 succeeded at 146 (offset -6 lines).

root@ubuntu1404:/var/tmp/nginx-1.4.6# ./configure --add-module=/var/tmp/ngx_http_proxy_connect_module.c \
--with-cc-opt='-g -O2 -fstack-protector \
--param=ssp-buffer-size=4 -Wformat \
-Werror=format-security -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions \
-Wl,-z,relro' --prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-debug --with-pcre-jit --with-ipv6 \
--with-http_ssl_module --with-http_stub_status_module \
--with-http_realip_module --with-http_addition_module \
--with-http_dav_module --with-http_geoip_module \
--with-http_gzip_static_module --with-http_image_filter_module \
--with-http_spdy_module --with-http_sub_module \
--with-http_xslt_module --with-mail \
--with-mail_ssl_module && make && strip objs/nginx
checking for OS
 + Linux 3.13.0-32-generic x86_64
checking for C compiler ... found
 + using GNU C compiler
 + gcc version: 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)
checking for gcc -pipe switch ... found
checking for --with-ld-opt="-Wl,-Bsymbolic-functions -Wl,-z,relro" ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
checking for sys/filio.h ... not found
checking for sys/param.h ... found
checking for sys/mount.h ... found
checking for sys/statvfs.h ... found
checking for crypt.h ... found
checking for Linux specific features
checking for epoll ... found
checking for sendfile() ... found
checking for sendfile64() ... found
checking for sys/prctl.h ... found
checking for prctl(PR_SET_DUMPABLE) ... found
checking for sched_setaffinity() ... found
checking for crypt_r() ... found
checking for sys/vfs.h ... found
checking for nobody group ... not found
checking for nogroup group ... found
checking for poll() ... found
checking for /dev/poll ... not found
checking for kqueue ... not found
checking for crypt() ... not found
checking for crypt() in libcrypt ... found
checking for F_READAHEAD ... not found
checking for posix_fadvise() ... found
checking for O_DIRECT ... found
checking for F_NOCACHE ... not found
checking for directio() ... not found
checking for statfs() ... found
checking for statvfs() ... found
checking for dlopen() ... not found
checking for dlopen() in libdl ... found
checking for sched_yield() ... found
checking for SO_SETFIB ... not found
checking for SO_ACCEPTFILTER ... not found
checking for TCP_DEFER_ACCEPT ... found
checking for TCP_KEEPIDLE, TCP_KEEPINTVL, TCP_KEEPCNT ... found
checking for TCP_INFO ... found
checking for accept4() ... found
checking for int size ... 4 bytes
checking for long size ... 8 bytes
checking for long long size ... 8 bytes
checking for void * size ... 8 bytes
checking for uint64_t ... found
checking for sig_atomic_t ... found
checking for sig_atomic_t size ... 4 bytes
checking for socklen_t ... found
checking for in_addr_t ... found
checking for in_port_t ... found
checking for rlim_t ... found
checking for uintptr_t ... uintptr_t found
checking for system byte ordering ... little endian
checking for size_t size ... 8 bytes
checking for off_t size ... 8 bytes
checking for time_t size ... 8 bytes
checking for AF_INET6 ... found
checking for setproctitle() ... not found
checking for pread() ... found
checking for pwrite() ... found
checking for sys_nerr ... found
checking for localtime_r() ... found
checking for posix_memalign() ... found
checking for memalign() ... found
checking for mmap(MAP_ANON|MAP_SHARED) ... found
checking for mmap("/dev/zero", MAP_SHARED) ... found
checking for System V shared memory ... found
checking for POSIX semaphores ... not found
checking for POSIX semaphores in libpthread ... found
checking for struct msghdr.msg_control ... found
checking for ioctl(FIONBIO) ... found
checking for struct tm.tm_gmtoff ... found
checking for struct dirent.d_namlen ... not found
checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
configuring additional modules
adding module in /var/tmp/ngx_http_proxy_connect_module.c
./configure: error: no /var/tmp/ngx_http_proxy_connect_module.c/config was found

OS: Ubuntu 14.04

目前支持 openresty上吗？ //EN: Does it support openresty?

ERROR: kevent() reported that connect() failed

original problem:
#55 (comment),
#55 (comment),
#55 (comment)

from @wxy8435 comment

内网重新测试下，

userdeMacBook-Air:~ user$ curl https://www.baidu.com/ -v -x localhost:8888 -o index.html --progress-bar -k
*   Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 8888 failed: Connection refused
*   Trying fe80::1...
* TCP_NODELAY set
* Connection failed
* connect to fe80::1 port 8888 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8888 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.baidu.com:443
> CONNECT www.baidu.com:443 HTTP/1.1
> Host: www.baidu.com:443
> User-Agent: curl/7.61.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
< Proxy-agent: nginx
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CONNECT phase completed!
* CONNECT phase completed!
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

nginx日志没有明显错误。

2018/08/10 16:29:24 [debug] 20388#0: accept on 0.0.0.0:8888, ready: 1
2018/08/10 16:29:24 [debug] 20389#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20389#0: kevent: 10: ft:-1 fl:0005 ff:00000000 d:1 ud:00007FAD24816C00
2018/08/10 16:29:24 [debug] 20389#0: accept on 0.0.0.0:8888, ready: 1
2018/08/10 16:29:24 [debug] 20388#0: posix_memalign: 00007FAD23F00160:512 @16
2018/08/10 16:29:24 [debug] 20389#0: accept() not ready (35: Resource temporarily unavailable)
2018/08/10 16:29:24 [debug] 20388#0: *58 accept: 127.0.0.1:59395 fd:4
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer add: 4: 60000:22039878
2018/08/10 16:29:24 [debug] 20388#0: *58 reusable connection: 1
2018/08/10 16:29:24 [debug] 20388#0: *58 kevent set event: 4: ft:-1 fl:0025
2018/08/10 16:29:24 [debug] 20388#0: timer delta: 3266
2018/08/10 16:29:24 [debug] 20388#0: worker cycle
2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 60000, changes: 1
2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20388#0: kevent: 4: ft:-1 fl:0025 ff:00000000 d:118 ud:00007FAD25012AD0
2018/08/10 16:29:24 [debug] 20388#0: *58 http wait request handler
2018/08/10 16:29:24 [debug] 20388#0: *58 malloc: 00007FAD25004000:1024
2018/08/10 16:29:24 [debug] 20388#0: *58 recv: eof:0, avail:118, err:0
2018/08/10 16:29:24 [debug] 20388#0: *58 recv: fd:4 118 of 1024
2018/08/10 16:29:24 [debug] 20388#0: *58 reusable connection: 0
2018/08/10 16:29:24 [debug] 20388#0: *58 posix_memalign: 00007FAD25004400:4096 @16
2018/08/10 16:29:24 [debug] 20388#0: *58 http process request line
2018/08/10 16:29:24 [debug] 20388#0: *58 http request line: "CONNECT www.baidu.com:443 HTTP/1.1"
2018/08/10 16:29:24 [debug] 20388#0: *58 http uri: ""
2018/08/10 16:29:24 [debug] 20388#0: *58 http args: ""
2018/08/10 16:29:24 [debug] 20388#0: *58 http exten: ""
2018/08/10 16:29:24 [debug] 20388#0: *58 posix_memalign: 00007FAD25005400:4096 @16
2018/08/10 16:29:24 [debug] 20388#0: *58 http process request header line
2018/08/10 16:29:24 [debug] 20388#0: *58 http header: "Host: www.baidu.com:443"
2018/08/10 16:29:24 [debug] 20388#0: *58 http header: "User-Agent: curl/7.61.0"
2018/08/10 16:29:24 [debug] 20388#0: *58 http header: "Proxy-Connection: Keep-Alive"
2018/08/10 16:29:24 [debug] 20388#0: *58 http header done
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer del: 4: 22039878
2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 0
2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 1
2018/08/10 16:29:24 [debug] 20388#0: *58 rewrite phase: 2
2018/08/10 16:29:24 [debug] 20388#0: *58 rewrite phase: 4
2018/08/10 16:29:24 [debug] 20388#0: *58 post rewrite phase: 5
2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 6
2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 7
2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 8
2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 9
2018/08/10 16:29:24 [debug] 20388#0: *58 access phase: 10
2018/08/10 16:29:24 [debug] 20388#0: *58 access phase: 11
2018/08/10 16:29:24 [debug] 20388#0: *58 access phase: 12
2018/08/10 16:29:24 [debug] 20388#0: *58 post access phase: 13
2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 14
2018/08/10 16:29:24 [debug] 20388#0: *58 generic phase: 15
2018/08/10 16:29:24 [debug] 20388#0: *58 connect network address given by proxy_connect_address
2018/08/10 16:29:24 [debug] 20388#0: *58 stream socket 8
2018/08/10 16:29:24 [debug] 20388#0: *58 connect to 10.243.184.40:8081, fd:8 #59
2018/08/10 16:29:24 [debug] 20387#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20387#0: kevent: 10: ft:-1 fl:0005 ff:00000000 d:1 ud:00007FAD25012A00
2018/08/10 16:29:24 [debug] 20387#0: accept on 0.0.0.0:8888, ready: 1
2018/08/10 16:29:24 [debug] 20387#0: accept() not ready (35: Resource temporarily unavailable)
2018/08/10 16:29:24 [debug] 20387#0: timer delta: 3266
2018/08/10 16:29:24 [debug] 20387#0: worker cycle
2018/08/10 16:29:24 [debug] 20387#0: kevent timer: -1, changes: 0
2018/08/10 16:29:24 [debug] 20390#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20388#0: *58 kevent set event: 8: ft:-1 fl:0025
2018/08/10 16:29:24 [debug] 20390#0: kevent: 10: ft:-1 fl:0005 ff:00000000 d:1 ud:00007FAD25012A00
2018/08/10 16:29:24 [debug] 20389#0: timer delta: 3266
2018/08/10 16:29:24 [debug] 20390#0: accept on 0.0.0.0:8888, ready: 1
2018/08/10 16:29:24 [debug] 20391#0: accept on 0.0.0.0:8888, ready: 1
2018/08/10 16:29:24 [debug] 20390#0: accept() not ready (35: Resource temporarily unavailable)
2018/08/10 16:29:24 [debug] 20390#0: timer delta: 3266
2018/08/10 16:29:24 [debug] 20388#0: *58 kevent set event: 8: ft:-2 fl:0025
2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream connect: -2
2018/08/10 16:29:24 [debug] 20388#0: *58 posix_memalign: 00007FAD23D0B860:128 @16
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer add: 8: 60000:22039879
2018/08/10 16:29:24 [debug] 20388#0: *58 http finalize request: -4, "?" a:1, c:2
2018/08/10 16:29:24 [debug] 20388#0: *58 http request count:2 blk:0
2018/08/10 16:29:24 [debug] 20388#0: timer delta: 1
2018/08/10 16:29:24 [debug] 20388#0: worker cycle
2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 60000, changes: 2
2018/08/10 16:29:24 [debug] 20391#0: accept() not ready (35: Resource temporarily unavailable)
2018/08/10 16:29:24 [debug] 20391#0: timer delta: 3266
2018/08/10 16:29:24 [debug] 20391#0: worker cycle
2018/08/10 16:29:24 [debug] 20391#0: kevent timer: -1, changes: 0
2018/08/10 16:29:24 [debug] 20390#0: worker cycle
2018/08/10 16:29:24 [debug] 20390#0: kevent timer: -1, changes: 0
2018/08/10 16:29:24 [debug] 20389#0: worker cycle
2018/08/10 16:29:24 [debug] 20389#0: kevent timer: -1, changes: 0
2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20388#0: kevent: 8: ft:-2 fl:0025 ff:00000000 d:131328 ud:00007FAD25040B38
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect upstream handler: "www.baidu.com:443"
2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream write handler
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer del: 8: 22039879
2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect send 200 connection estatbilshed
2018/08/10 16:29:24 [debug] 20388#0: *58 send: fd:4 59 of 59
2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect sent 200 connection estatbilshed
2018/08/10 16:29:24 [debug] 20388#0: timer delta: 6
2018/08/10 16:29:24 [debug] 20388#0: worker cycle
2018/08/10 16:29:24 [debug] 20388#0: kevent timer: -1, changes: 0
2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20388#0: kevent: 4: ft:-1 fl:0025 ff:00000000 d:517 ud:00007FAD25012AD0
2018/08/10 16:29:24 [debug] 20388#0: *58 http run request: "?"
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect, fu:0 write:0
2018/08/10 16:29:24 [debug] 20388#0: *58 malloc: 00007FAD25801800:16384
2018/08/10 16:29:24 [debug] 20388#0: *58 recv: eof:0, avail:517, err:0
2018/08/10 16:29:24 [debug] 20388#0: *58 recv: fd:4 517 of 16384
2018/08/10 16:29:24 [debug] 20388#0: *58 send: fd:8 517 of 517
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer add: 4: 60000:22039887
2018/08/10 16:29:24 [debug] 20388#0: timer delta: 2
2018/08/10 16:29:24 [debug] 20388#0: worker cycle
2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 60000, changes: 0
2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20388#0: kevent: 8: ft:-2 fl:0025 ff:00000000 d:131328 ud:00007FAD25040B38
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect upstream handler: "www.baidu.com:443"
2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream write handler
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect, fu:0 write:1
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer: 4, old: 22039887, new: 22039892
2018/08/10 16:29:24 [debug] 20388#0: timer delta: 5
2018/08/10 16:29:24 [debug] 20388#0: worker cycle
2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 59995, changes: 0
2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20388#0: kevent: 8: ft:-1 fl:0025 ff:00000000 d:903 ud:00007FAD25012B38
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect upstream handler: "www.baidu.com:443"
2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream read handler
2018/08/10 16:29:24 [debug] 20388#0: *58 malloc: 00007FAD25006400:16384
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect, fu:1 write:0
2018/08/10 16:29:24 [debug] 20388#0: *58 recv: eof:0, avail:903, err:0
2018/08/10 16:29:24 [debug] 20388#0: *58 recv: fd:8 903 of 16384
2018/08/10 16:29:24 [debug] 20388#0: *58 send: fd:4 903 of 903
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer add: 8: 60000:22039892
2018/08/10 16:29:24 [debug] 20388#0: timer delta: 0
2018/08/10 16:29:24 [debug] 20388#0: worker cycle
2018/08/10 16:29:24 [debug] 20388#0: kevent timer: 59995, changes: 0
2018/08/10 16:29:24 [debug] 20388#0: kevent events: 1
2018/08/10 16:29:24 [debug] 20388#0: kevent: 8: ft:-1 fl:8025 ff:00000000 d:0 ud:00007FAD25012B38
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect upstream handler: "www.baidu.com:443"
2018/08/10 16:29:24 [debug] 20388#0: *58 proxy_connect upstream read handler
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect, fu:1 write:0
2018/08/10 16:29:24 [debug] 20388#0: *58 recv: eof:1, avail:0, err:0
2018/08/10 16:29:24 [debug] 20388#0: *58 http proxy_connect done
2018/08/10 16:29:24 [debug] 20388#0: *58 finalize proxy_conncet upstream request: 0
2018/08/10 16:29:24 [debug] 20388#0: *58 close proxy_connect upstream connection: 8
2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD23D0B860, unused: 48
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer del: 8: 22039892
2018/08/10 16:29:24 [debug] 20388#0: *58 reusable connection: 0
2018/08/10 16:29:24 [debug] 20388#0: *58 http finalize request: 0, "?" a:1, c:1
2018/08/10 16:29:24 [debug] 20388#0: *58 event timer del: 4: 22039887
2018/08/10 16:29:24 [debug] 20388#0: *58 http request count:1 blk:0
2018/08/10 16:29:24 [debug] 20388#0: *58 http close request
2018/08/10 16:29:24 [debug] 20388#0: *58 http log handler
2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25006400
2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25801800
2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25004400, unused: 8
2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25005400, unused: 2843
2018/08/10 16:29:24 [debug] 20388#0: *58 close http connection: 4
2018/08/10 16:29:24 [debug] 20388#0: *58 reusable connection: 0
2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD25004000
2018/08/10 16:29:24 [debug] 20388#0: *58 free: 00007FAD23F00160, unused: 136
2018/08/10 16:29:24 [debug] 20388#0: timer delta: 1
2018/08/10 16:29:24 [debug] 20388#0: worker cycle
2018/08/10 16:29:24 [debug] 20388#0: kevent timer: -1, changes: 0

==> access.log <==
127.0.0.1 -  [10/Aug/2018:16:29:24 +0800] "CONNECT www.baidu.com:443 HTTP/1.1" 000 962 "" "curl/7.61.0" ""

LUA with CONNECT requests

Your example shows location/ for non connect requests but how would I define a location for a connect request ? I wanted to parse out the POST parameters of the connect request with lua and don't know how to define a location to accomplish this.

Error log send() failed (22: Invalid argument) while resolving

Env

nginx lua module 0.10.12rc2
nginx 1.12

After a period of time , I found some error

client : Received HTTP code 500 from proxy after CONNECT and Close, but the http proxy Operating normally
server log : send() failed (22: Invalid argument) while resolving

So did I miss anything ? 🆘 😢
@chobits

Build errors on 1.12.2

Hello,

I'm running into the following errors when trying to build with Nginx 1.12.2. The same configure line works fine for 1.12.1.

Configure:
./configure --add-module=/usr/local/src/nginx/modules/lua-nginx-module --add-module=/usr/local/src/nginx/modules/ngx_http_proxy_connect_module --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

Errors:

In file included from src/core/ngx_core.h:58:0,
                 from /usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:7:
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c: In function ‘ngx_http_proxy_connect_upstream_handler’:
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:734:22: error: ‘ngx_http_request_t’ has no member named ‘connect_host’
                    &r->connect_host, &r->connect_port);
                      ^
src/core/ngx_log.h:93:48: note: in definition of macro ‘ngx_log_debug’
         ngx_log_error_core(NGX_LOG_DEBUG, log, __VA_ARGS__)
                                                ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:732:5: note: in expansion of macro ‘ngx_log_debug2’
     ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
     ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:734:40: error: ‘ngx_http_request_t’ has no member named ‘connect_port’
                    &r->connect_host, &r->connect_port);
                                        ^
src/core/ngx_log.h:93:48: note: in definition of macro ‘ngx_log_debug’
         ngx_log_error_core(NGX_LOG_DEBUG, log, __VA_ARGS__)
                                                ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:732:5: note: in expansion of macro ‘ngx_log_debug2’
     ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
     ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c: In function ‘ngx_http_proxy_connect_check_broken_connection’:
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1027:33: error: ‘ngx_http_request_t’ has no member named ‘connect_host’
                    ev->write, &r->connect_host, &r->connect_port);
                                 ^
src/core/ngx_log.h:93:48: note: in definition of macro ‘ngx_log_debug’
         ngx_log_error_core(NGX_LOG_DEBUG, log, __VA_ARGS__)
                                                ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1025:5: note: in expansion of macro ‘ngx_log_debug3’
     ngx_log_debug3(NGX_LOG_DEBUG_HTTP, ev->log, 0,
     ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1027:51: error: ‘ngx_http_request_t’ has no member named ‘connect_port’
                    ev->write, &r->connect_host, &r->connect_port);
                                                   ^
src/core/ngx_log.h:93:48: note: in definition of macro ‘ngx_log_debug’
         ngx_log_error_core(NGX_LOG_DEBUG, log, __VA_ARGS__)
                                                ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1025:5: note: in expansion of macro ‘ngx_log_debug3’
     ngx_log_debug3(NGX_LOG_DEBUG_HTTP, ev->log, 0,
     ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c: In function ‘ngx_http_proxy_connect_handler’:
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1190:39: error: ‘ngx_http_request_t’ has no member named ‘connect_port_n’
             if ((ports[i][1] == 0 && r->connect_port_n == ports[i][0])
                                       ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1191:37: error: ‘ngx_http_request_t’ has no member named ‘connect_port_n’
                 || (ports[i][0] <= r->connect_port_n && r->connect_port_n <= ports[i][1]))
                                     ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1191:58: error: ‘ngx_http_request_t’ has no member named ‘connect_port_n’
                 || (ports[i][0] <= r->connect_port_n && r->connect_port_n <= ports[i][1]))
                                                          ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1199:14: error: ‘ngx_http_request_t’ has no member named ‘connect_port_n’
         if (r->connect_port_n == 443 || r->connect_port_n == 563) {
              ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1199:42: error: ‘ngx_http_request_t’ has no member named ‘connect_port_n’
         if (r->connect_port_n == 443 || r->connect_port_n == 563) {
                                          ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1230:20: error: ‘ngx_http_request_t’ has no member named ‘connect_host’
     url.url.len = r->connect_host.len;
                    ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1231:21: error: ‘ngx_http_request_t’ has no member named ‘connect_host’
     url.url.data = r->connect_host.data;
                     ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1232:25: error: ‘ngx_http_request_t’ has no member named ‘connect_port_n’
     url.default_port = r->connect_port_n;
                         ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1263:30: error: ‘ngx_http_request_t’ has no member named ‘connect_host’
         u->resolved->host = r->connect_host;
                              ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1264:42: error: ‘ngx_http_request_t’ has no member named ‘connect_port_n’
         u->resolved->port = (in_port_t) r->connect_port_n;
                                          ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1275:18: error: ‘ngx_http_request_t’ has no member named ‘connect_host’
     temp.name = r->connect_host;
                  ^
In file included from src/core/ngx_core.h:58:0,
                 from /usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:7:
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1287:62: error: ‘ngx_http_request_t’ has no member named ‘connect_host’
                       "no resolver defined to resolve %V", &r->connect_host);
                                                              ^
src/core/ngx_log.h:86:67: note: in definition of macro ‘ngx_log_error’
     if ((log)->log_level >= level) ngx_log_error_core(level, log, __VA_ARGS__)
                                                                   ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1291:19: error: ‘ngx_http_request_t’ has no member named ‘connect_host’
     rctx->name = r->connect_host;
                   ^
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c: In function ‘ngx_http_proxy_connect’:
/usr/local/src/nginx/modules/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1395:9: error: ‘ngx_http_core_loc_conf_t’ has no member named ‘accept_connect’
     clcf->accept_connect = 1;
         ^
make[1]: *** [objs/addon/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/usr/local/src/nginx/nginx-1.12.2'
make: *** [build] Error 2

[TODO] reimplement this module as ngx_stream sub module

make this module standalone
no longer need proxy_connect.patch

compilation error: 'ngx_http_request_t {aka struct ngx_http_request_s}' has no member named 'connect_port_n

Here is my docker file. This does not seem to work on the nginx visted below or the one in the install docs

COPY ./ngx_http_proxy_connect_module /ngx_http_proxy_connect_module
RUN apk update --no-cache
RUN apk add --no-cache git openssh make gcc openssl-dev pcre-dev zlib-dev wget build-base
RUN wget http://nginx.org/download/nginx-1.15.2.tar.gz
RUN tar -xzvf nginx-1.15.2.tar.gz
RUN cd nginx-1.15.2/ && patch -p1 /ngx_http_proxy_connect_module/patch/proxy_connect.patch && ./configure --add-module=/ngx_http_proxy_connect_module && make && make install

ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c: In function 'ngx_http_proxy_connect_handler':
/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1350:39: error: 'ngx_http_request_t {aka struct ngx_http_request_s}' has no member named 'connect_port_n'; did you mean 'connection'?
if ((ports[i][1] == 0 && r->connect_port_n == ports[i][0])
^~

What functions does this module implement?

[TODO] windows support // using on Windows crash

I am using the HTTPS forward proxy after the patch below Windows will crash, can you support this Windows system?

SSH Proxy

I want to proxy SSH connections on my server, port 443 to port 22. The reason is that sometimes the port 22 is not available.

The nginx conf is like this:

server{
    listen 443;
    server_name  ssh.mydomain;

    proxy_connect;
    proxy_connect_allow  all;
    proxy_connect_connect_timeout  15s;
    proxy_connect_read_timeout     30s;
    proxy_connect_send_timeout     30s;
    proxy_connect_address 127.0.0.1:22;

    # location / {
    #     proxy_pass http://127.0.0.1:22;
    # }

}

But I always get "The proxy server rejected connection request: Connection aborted." in Xshell. Any idea?

您好，想用Nginx做个透明代理，客户端机器配置下网关（即Nginx那台机器），客户端dns配置223.5.5.5，请问Nginx如何配置可以实现http/https透明代理，谢谢！

qq:464713256

[TODO] added useful error log for debugging

including reason of following error:
- backend connection failure
- backend read/write IO failure
- DNS failure
- http-CONNECT-request protocol error

unknown directive "proxy_connect_write_timeout"

112     server {
113         listen       443 ssl;
114         server_name  localhost;
115 
116         proxy_connect;
117         proxy_connect_allow    all;
118         proxy_connect_read_timeout 300s;
119         #proxy_connect_write_timeout 300s;
120         proxy_connect_send_timeout 300s;
121 
122         ssl_certificate      ssl/openresty.crt;
123         ssl_certificate_key  ssl/openresty.key;
124 
125     #    ssl_session_cache    shared:SSL:1m;
126     #    ssl_session_timeout  5m;
127 
128     #    ssl_ciphers  HIGH:!aNULL:!MD5;
129     #    ssl_prefer_server_ciphers  on;
130 
131         location / {
132             root   html;
133             index  index.html index.htm;
134         }
135 
136         location /test {
137             default_type 'text/plain';
138 
139             content_by_lua_block {
140                 local table = require "mylib.table"
141                 table.print(ngx.req.get_headers())
142 
143                 ngx.say()                                                                                                                                                              
144                 ngx.say("hey is me!")
145             }
146         }
147     }

Error log: upstream timed out (110: Operation timed out) while connecting to upstream(proxy_connect),

situation: big file post by proxy_connect

Installing module on newer version of nginx (1.13+)

Hi
I have installed a reverse proxy with nginx with https on a Raspberry Pi Z with rasbian Stretch to connect my home central and it works well. Now I would like to install the above module, but I have version nginx/1.10.3 installed. Folowing the install code provided installes nginx 1.9.2.
How can I apply the patch to the newer version?
Thanks in advance
Ruedi

authorization for https connections?

Hi. Thank you for your work.

Is there any way to enable authorization for https connections?

compiler error

../ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c: In function 'ngx_http_proxy_connect_read_upstream':
../ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:585:42: error: variable 'plcf' set but not used [-Werror=unused-but-set-variable]
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.o] Error 1
make[1]: Leaving directory `/usr/local/src/nginx-1.9.2'
make: *** [build] Error 2

iptables+nginx做透明代理有问题 // cannot work for proxing on iptables+nginx

iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.2.0/24 --dport 80 -j DNAT --to 192.168.2.116:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.2.0/24 --dport 443 -j DNAT --to 192.168.2.116:3128

下面的机器直接curl -x 192.168.2.116:3128 https://www.baidu.com 这样是没问题的，但在做完透明代理直接访问的时候就有问题。是我哪里设置的不对吗？

nginx1.9.2编译错误 // EN: compilation error with nginx 1.9.2

您好，之前安装文档上的说明通过，nginx1.9.2编译没有错误，
现在下载了最新的ngx_http_proxy_connect_module 代码，在新的环境下进行编译出错。

在make的时候出现下面的错误

cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs -I src/http -I src/http/modules -I src/mail -I src/stream \ -o objs/addon/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.o \ /home/apps/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c /home/apps/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c: In function 'ngx_http_proxy_connect_address': /home/apps/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1533:14: error: implicit declaration of function 'ngx_parse_addr_port' [-Werror=implicit-function-declaration] rc = ngx_parse_addr_port(cf->pool, address->addr, value[1].data, ^ /home/apps/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c: In function 'ngx_http_proxy_connect_set_address': /home/apps/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1720:20: error: 'ngx_http_upstream_resolved_t {aka struct <anonymous>}' has no member named 'name' u->resolved->name = address->addr->name; ^ /home/apps/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:1753:16: error: 'ngx_http_upstream_resolved_t {aka struct <anonymous>}' has no member named 'name' u->resolved->name = addr->name; ^ cc1: all warnings being treated as errors objs/Makefile:1115: recipe for target 'objs/addon/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.o' failed make[1]: *** [objs/addon/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.o] Error 1 make[1]: Leaving directory '/home/apps/nginx-1.9.2' Makefile:8: recipe for target 'build' failed make: *** [build] Error 2

后来使用了nginx1.12.1没有错误
我得环境是Ubuntu16.04

Is it possible to support verification of client certificates?

if add a new param to control whether check $ssl_client_verify, would be helpful authentication,
such as
proxy_connect_ssl_client_verify on/off; [default off]

if proxy_connect_ssl_client_verify on then check ssl_client_verify for each request, if failed, return 400, if successed, authenticated!

I think this function would be very helpful, thanks for considering.

Compilation error, nginx 1.15.2, alpine

Here's my dockerfile - I originally had an older version of nginx referenced but based on another issue submitted here, i decided to try 1.15.2 - still the same error - please advise. This is with the latest from master here. (I have to use alpine, which is why I'm forking the Dockerfile from nginx repo)

FROM alpine:3.8

LABEL maintainer="NGINX Docker Maintainers <[email protected]>"

ENV NGINX_VERSION 1.15.2
RUN mkdir /tmp2
COPY ngx_http_proxy_connect_module /tmp2/ngx_http_proxy_connect_module
RUN /bin/chmod -R 777 /tmp2/ngx_http_proxy_connect_module

RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
	&& CONFIG="\
		--add-module=/usr/src/ngx_cache_purge-2.3 \
		--add-module=/tmp2/ngx_http_proxy_connect_module \
		--prefix=/etc/nginx \
		--sbin-path=/usr/sbin/nginx \
		--modules-path=/usr/lib/nginx/modules \
		--conf-path=/etc/nginx/nginx.conf \
		--error-log-path=/var/log/nginx/error.log \
		--http-log-path=/var/log/nginx/access.log \
		--pid-path=/var/run/nginx.pid \
		--lock-path=/var/run/nginx.lock \
		--http-client-body-temp-path=/var/cache/nginx/client_temp \
		--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
		--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
		--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
		--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
		--user=nginx \
		--group=nginx \
		--with-http_ssl_module \
		--with-http_realip_module \
		--with-http_addition_module \
		--with-http_sub_module \
		--with-http_dav_module \
		--with-http_flv_module \
		--with-http_mp4_module \
		--with-http_gunzip_module \
		--with-http_gzip_static_module \
		--with-http_random_index_module \
		--with-http_secure_link_module \
		--with-http_stub_status_module \
		--with-http_auth_request_module \
		--with-http_xslt_module=dynamic \
		--with-http_image_filter_module=dynamic \
		--with-http_geoip_module=dynamic \
		--with-http_perl_module=dynamic \
		--with-threads \
		--with-stream \
		--with-stream_ssl_module \
		--with-stream_ssl_preread_module \
		--with-stream_realip_module \
		--with-stream_geoip_module=dynamic \
		--with-http_slice_module \
		--with-mail \
		--with-mail_ssl_module \
		--with-compat \
		--with-file-aio \
		--with-http_v2_module \
	" \
	&& addgroup -S nginx \
	&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
	&& apk add --no-cache --virtual .build-deps \
		gcc \
		libc-dev \
		make \
		openssl-dev \
		pcre-dev \
		zlib-dev \
		linux-headers \
		curl \
		gnupg1 \
		libxslt-dev \
		gd-dev \
		geoip-dev \
		perl-dev \
		pcre-dev \
	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -o nginx.tar.gz \
	&& curl -fSL https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz.asc  -o nginx.tar.gz.asc \
	&& curl -fSL http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz -o ngx_cache_purge-2.3.tar.gz \
	&& ls -la /tmp2/ngx_http_proxy_connect_module \
	&& patch -p1 /tmp2/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1015.patch \
	&& ls -la /tmp2/ngx_http_proxy_connect_module \
	&& export GNUPGHOME="$(mktemp -d)" \
	&& found=''; \
	for server in \
		ha.pool.sks-keyservers.net \
		hkp://keyserver.ubuntu.com:80 \
		hkp://p80.pool.sks-keyservers.net:80 \
		pgp.mit.edu \
	; do \
		echo "Fetching GPG key $GPG_KEYS from $server"; \
		gpg --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$GPG_KEYS" && found=yes && break; \
	done; \
	test -z "$found" && echo >&2 "error: failed to fetch GPG key $GPG_KEYS" && exit 1; \
	gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \
	&& rm -rf "$GNUPGHOME" nginx.tar.gz.asc \
	&& mkdir -p /usr/src \
	&& tar -zxC /usr/src -f nginx.tar.gz \
	&& tar -zxC /usr/src -f ngx_cache_purge-2.3.tar.gz \
	&& rm nginx.tar.gz \
	&& rm ngx_cache_purge-2.3.tar.gz \
	&& cd /usr/src/nginx-$NGINX_VERSION \
	&& ./configure $CONFIG --with-debug \
	&& make -j$(getconf _NPROCESSORS_ONLN) \
	&& mv objs/nginx objs/nginx-debug \
	&& mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \
	&& mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \
	&& mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \
	&& mv objs/ngx_http_perl_module.so objs/ngx_http_perl_module-debug.so \
	&& mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \
	&& ./configure $CONFIG \
	&& make -j$(getconf _NPROCESSORS_ONLN) \
	&& make install \
	&& rm -rf /etc/nginx/html/ \
	&& mkdir /etc/nginx/conf.d/ \
	&& mkdir -p /usr/share/nginx/html/ \
	&& install -m644 html/index.html /usr/share/nginx/html/ \
	&& install -m644 html/50x.html /usr/share/nginx/html/ \
	&& install -m755 objs/nginx-debug /usr/sbin/nginx-debug \
	&& install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \
	&& install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \
	&& install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \
	&& install -m755 objs/ngx_http_perl_module-debug.so /usr/lib/nginx/modules/ngx_http_perl_module-debug.so \
	&& install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \
	&& ln -s ../../usr/lib/nginx/modules /etc/nginx/modules \
	&& strip /usr/sbin/nginx* \
	&& strip /usr/lib/nginx/modules/*.so \
	&& rm -rf /usr/src/nginx-$NGINX_VERSION \
	\
	# Bring in gettext so we can get `envsubst`, then throw
	# the rest away. To do this, we need to install `gettext`
	# then move `envsubst` out of the way so `gettext` can
	# be deleted completely, then move `envsubst` back.
	&& apk add --no-cache --virtual .gettext gettext \
	&& mv /usr/bin/envsubst /tmp/ \
	\
	&& runDeps="$( \
		scanelf --needed --nobanner /usr/sbin/nginx /usr/lib/nginx/modules/*.so /tmp/envsubst \
			| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
			| sort -u \
			| xargs -r apk info --installed \
			| sort -u \
	)" \
	&& apk add --no-cache --virtual .nginx-rundeps $runDeps \
	&& apk del .build-deps \
	&& apk del .gettext \
	&& mv /tmp/envsubst /usr/local/bin/ \
	\
	# Bring in tzdata so users could set the timezones through the environment
	# variables
	&& apk add --no-cache tzdata \
	\
	# forward request and error logs to docker log collector
	&& ln -sf /dev/stdout /var/log/nginx/access.log \
	&& ln -sf /dev/stderr /var/log/nginx/error.log

COPY nginx.conf /etc/nginx/nginx.conf
COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf

EXPOSE 80

STOPSIGNAL SIGTERM

CMD ["nginx", "-g", "daemon off;"]

SNI Support for CONNECT

Hi,

I am trying to use your module to connect to a SNI enforcing upstream.

I have compiled NGINX with SNI support, so when hitting NGINX with HTTP, based on a location rule, I am able to re-direct to upstream forcing HTTPS, NGINX's module then takes the lead and connects to upstream using SNI.

However, when I hit NGINX using HTTPS, a CONNECT request comes out of my app. (This is where I believe your module kicks in by providing CONNECT support for NGINX), however when NGINX attempts to contact upstream, I am getting this back:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: tlsv1 unrecognized name

Which is the error indicating SNI is not being used to contact upstream. Therefore upstream errors out.

Are there any plans for your module to support SNI on CONNECT?

Thanks!

nginx日志和Http代理问题 //EN: nginx logging and http proxy problem

1.为什么nginx日志里的状态码是000？难道是因为http connect是4层的，无法解析应用层的http状态码?

2.使用此模块代理Http时，如下网站，会超时，并且日志记录的状态码是404和499 。但是，正常应返回tomcat 405页面错误。我用nginx原生的模块代理http请求，可以正常返回tomcat 405错误的页面。为什么呢？
http://onlineuat.cupdata.com:50001/dbesbsit/api/requestEncrypt

intercepting ssl

Given nginx's new ssl_preread functionality, could we see an example configuration wherein nginx spoofs the certificate from the remote server being proxied?

unexpected requests in log

Hi!
This is part of access.log
85.97.129.80 - - [21/Sep/2018:19:03:35 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
116.212.150.49 - - [21/Sep/2018:20:41:54 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
60.191.38.78 - - [21/Sep/2018:20:45:01 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
79.120.133.202 - - [21/Sep/2018:20:53:26 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
46.153.21.60 - - [21/Sep/2018:21:27:10 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"

I have never sent a request from these ips. And,I set auth_basic_user_file, But these requests still exist.

不支持HTTP和FTP协议吗? //EN: support HTTP or FTP?

HTTPS协议可以正常访问，但是通过HTTP和FTP协议访问的时候报500的错误

bug: last version + openresty 1.13.6.2 + fedora 28, core dumped.

the same steps with: https://github.com/chobits/ngx_http_proxy_connect_module#install

$ cat /etc/redhat-release
Fedora release 28 (Twenty Eight)

$ /usr/local/openresty/bin/openresty -V
nginx version: openresty/1.13.6.2
built by gcc 8.2.1 20181105 (Red Hat 8.2.1-5) (GCC)
built with OpenSSL 1.1.0i-fips  14 Aug 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.13 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.5 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --add-module=/home/resty/ins_pkg/ngx_http_proxy_connect_module --with-stream --with-stream_ssl_module --with-http_ssl_module

Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/openresty/bin/openresty...done.

warning: core file may not match specified executable file.
[New LWP 93748]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `nginx: worker process                                                    '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000004813df in ngx_http_index_handler (r=0x170a7a0) at src/http/modules/ngx_http_index_module.c:112
112	    if (r->uri.data[r->uri.len - 1] != '/') {
Missing separate debuginfos, use: dnf debuginfo-install libgcc-8.2.1-5.fc28.x86_64
(gdb) bt
#0  0x00000000004813df in ngx_http_index_handler (r=0x170a7a0) at src/http/modules/ngx_http_index_module.c:112
#1  0x000000000045585e in ngx_http_core_content_phase (r=0x170a7a0, ph=0x171eea8) at src/http/ngx_http_core_module.c:1195
#2  0x0000000000450915 in ngx_http_core_run_phases (r=r@entry=0x170a7a0) at src/http/ngx_http_core_module.c:862
#3  0x00000000004509e6 in ngx_http_handler (r=r@entry=0x170a7a0) at src/http/ngx_http_core_module.c:845
#4  0x000000000045a7b6 in ngx_http_process_request (r=0x170a7a0) at src/http/ngx_http_request.c:2010
#5  0x000000000045ac82 in ngx_http_process_request_headers (rev=rev@entry=0x7f4bf428a0d0) at src/http/ngx_http_request.c:1424
#6  0x000000000045b0e1 in ngx_http_process_request_line (rev=0x7f4bf428a0d0) at src/http/ngx_http_request.c:1096
#7  0x000000000044635e in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:902
#8  0x000000000043e0ab in ngx_process_events_and_timers (cycle=cycle@entry=0x16fbf50) at src/event/ngx_event.c:252
#9  0x00000000004445ba in ngx_worker_process_cycle (cycle=0x16fbf50, data=<optimized out>) at src/os/unix/ngx_process_cycle.c:820
#10 0x00000000004430f2 in ngx_spawn_process (cycle=cycle@entry=0x16fbf50, proc=proc@entry=0x444540 <ngx_worker_process_cycle>, data=data@entry=0x0,
    name=name@entry=0x52c915 "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
#11 0x0000000000444a0c in ngx_start_worker_processes (cycle=cycle@entry=0x16fbf50, n=1, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:396
#12 0x00000000004452d3 in ngx_master_process_cycle (cycle=0x16fbf50) at src/os/unix/ngx_process_cycle.c:135
#13 0x000000000041eb81 in main (argc=3, argv=<optimized out>) at src/core/nginx.c:384
(gdb) bt full
#0  0x00000000004813df in ngx_http_index_handler (r=0x170a7a0) at src/http/modules/ngx_http_index_module.c:112
        p = <optimized out>
        name = <optimized out>
        len = <optimized out>
        root = 0
        reserve = <optimized out>
        allocated = <optimized out>
        rc = <optimized out>
        path = {len = 14583431671641719254, data = 0xca62c1d6ca62c1d6 <error: Cannot access memory at address 0xca62c1d6ca62c1d6>}
        uri = {len = 7, data = 0x0}
        i = <optimized out>
        dir_tested = <optimized out>
        index = <optimized out>
        of = {fd = 23991712, uniq = 4343909, mtime = 0, size = 206158430256, fs_size = 140734846990984, directio = 140734846990784, read_ahead = 2, err = 0,
          failed = 0x1000 <error: Cannot access memory at address 0x1000>, valid = 0, min_uses = 7, disable_symlinks_from = 0, disable_symlinks = 0, test_dir = 0,
          test_only = 0, log = 0, errors = 0, events = 0, is_dir = 0, is_file = 0, is_link = 0, is_exec = 0, is_directio = 0}
        code = <optimized out>
        e = {ip = 0x0, pos = 0x0, sp = 0x0, buf = {len = 0, data = 0x0}, line = {len = 0, data = 0x0}, args = 0x16e1590 "\002", flushed = 0, skip = 0, quote = 0, is_args = 0,
          log = 1, status = 15, request = 0x3}
        clcf = <optimized out>
        ilcf = <optimized out>
        lcode = <optimized out>
#1  0x000000000045585e in ngx_http_core_content_phase (r=0x170a7a0, ph=0x171eea8) at src/http/ngx_http_core_module.c:1195
        root = 12
        rc = <optimized out>
        path = {len = 0, data = 0x4548cf <ngx_http_core_generic_phase+15> "H\205\300t,H\211\306H\203\370\373t7H\203\340\375\061\355H\203\370\374t\bH\211\337\350\317P"}
#2  0x0000000000450915 in ngx_http_core_run_phases (r=r@entry=0x170a7a0) at src/http/ngx_http_core_module.c:862
        rc = <optimized out>
        ph = 0x171ed58
        cmcf = <optimized out>
#3  0x00000000004509e6 in ngx_http_handler (r=r@entry=0x170a7a0) at src/http/ngx_http_core_module.c:845
        cmcf = <optimized out>
#4  0x000000000045a7b6 in ngx_http_process_request (r=0x170a7a0) at src/http/ngx_http_request.c:2010
        c = 0x7f4bf05441e0
#5  0x000000000045ac82 in ngx_http_process_request_headers (rev=rev@entry=0x7f4bf428a0d0) at src/http/ngx_http_request.c:1424
        p = <optimized out>
        len = <optimized out>
        n = <optimized out>
        rc = <optimized out>
---Type <return> to continue, or q <return> to quit---
        rv = <optimized out>
        h = <optimized out>
        c = <optimized out>
        hh = <optimized out>
        r = <optimized out>
        cscf = <optimized out>
        cmcf = <optimized out>
#6  0x000000000045b0e1 in ngx_http_process_request_line (rev=0x7f4bf428a0d0) at src/http/ngx_http_request.c:1096
        n = <optimized out>
        rc = <optimized out>
        rv = <optimized out>
        host = {len = 9, data = 0x16e1f58 "baidu.com:443 HTTP/1.1\r\nHost"}
        c = 0x7f4bf05441e0
        r = 0x170a7a0
#7  0x000000000044635e in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:902
        events = <optimized out>
        revents = 1
        instance = 0
        i = <optimized out>
        level = <optimized out>
        err = 0
        rev = <optimized out>
        wev = <optimized out>
        queue = <optimized out>
        c = 0x7f4bf05441e0
#8  0x000000000043e0ab in ngx_process_events_and_timers (cycle=cycle@entry=0x16fbf50) at src/event/ngx_event.c:252
        flags = <optimized out>
        timer = <optimized out>
        delta = 1545309747113
        q = <optimized out>
        ev = <optimized out>
#9  0x00000000004445ba in ngx_worker_process_cycle (cycle=0x16fbf50, data=<optimized out>) at src/os/unix/ngx_process_cycle.c:820
        worker = <optimized out>
#10 0x00000000004430f2 in ngx_spawn_process (cycle=cycle@entry=0x16fbf50, proc=proc@entry=0x444540 <ngx_worker_process_cycle>, data=data@entry=0x0,
    name=name@entry=0x52c915 "worker process", respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
        on = 1
        pid = 0
        s = 0
#11 0x0000000000444a0c in ngx_start_worker_processes (cycle=cycle@entry=0x16fbf50, n=1, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:396
---Type <return> to continue, or q <return> to quit---
        i = 0
        ch = {command = 1, pid = 0, slot = 0, fd = 0}
#12 0x00000000004452d3 in ngx_master_process_cycle (cycle=0x16fbf50) at src/os/unix/ngx_process_cycle.c:135
        title = 0x171f020 "master process /usr/local/openresty/bin/openresty -p /home/resty/git/membphis/edge-node/"
        p = <optimized out>
        size = <optimized out>
        i = <optimized out>
        n = <optimized out>
        sigio = <optimized out>
        set = {__val = {0 <repeats 16 times>}}
        itv = {it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 9, tv_usec = 49}}
        live = <optimized out>
        delay = <optimized out>
        ls = <optimized out>
        ccf = 0x16fdd10
#13 0x000000000041eb81 in main (argc=3, argv=<optimized out>) at src/core/nginx.c:384
        b = <optimized out>
        log = 0x78f160 <ngx_log>
        i = <optimized out>
        cycle = 0x16fbf50
        init_cycle = {conf_ctx = 0x0, pool = 0x16e1f50, log = 0x78f160 <ngx_log>, new_log = {log_level = 0, file = 0x0, connection = 0, disk_full_time = 0, handler = 0x0,
            data = 0x0, writer = 0x0, wdata = 0x0, action = 0x0, next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, modules = 0x0,
          modules_n = 0, modules_used = 0, reusable_connections_queue = {prev = 0x0, next = 0x0}, reusable_connections_n = 0, listening = {elts = 0x0, nelts = 0, size = 0,
            nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, config_dump = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0},
          config_dump_rbtree = {root = 0x0, sentinel = 0x0, insert = 0x0}, config_dump_sentinel = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000',
            data = 0 '\000'}, open_files = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, shared_memory = {last = 0x0, part = {
              elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0, read_events = 0x0, write_events = 0x0,
          old_cycle = 0x0, conf_file = {len = 50, data = 0x16e1fa0 "oxy-Connection"}, conf_param = {len = 0, data = 0x0}, conf_prefix = {len = 40,
            data = 0x16e1fa0 "oxy-Connection"}, prefix = {len = 35, data = 0x7fff62900721 ""}, lock_file = {len = 0, data = 0x0}, hostname = {len = 0, data = 0x0},
          intercept_error_log_handler = 0x0, intercept_error_log_data = 0x0, entered_logger = 0}
        cd = <optimized out>
        ccf = <optimized out>
(gdb)

[bugfix & analysis] coredump after ngx_http_proxy_connect_send_connection_established

reproduce

command:

$ cat connect_request.data
CONNECT test.com:443 HTTP/1.1
Host: test.com:443
Proxy-Connection: Keep-Alive

$ cat connect_request.data| nc 127.0.0.1 8080
HTTP/1.0 200 Connection Established
Proxy-agent: nginx

$ grep exited logs/error.log
2017/10/03 13:10:47 [alert] 64613#0: worker process 65055 exited on signal 11 (core dumped)

nginx.conf:

    server {
        listen       8080;
        server_name  localhost;
        resolver 8.8.8.8;
        proxy_connect;
        proxy_connect_allow all;
    }

[TODO] Support nginx 1.15.x

The patch can't apply to nginx 1.15.1 now, so I can't use the module. May you add the support for nginz 1.15.1?

Tuneling SSH over HTTP - 502 Bad Gateway

For SSH tunneling I am using default config as you proposed, except I do:
proxy_connect_allow 22;

When configured SSH config with following config:
ProxyCommand /usr/bin/proxytunnel -p public-address:80 -d remote-host:22 -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)"

When I used nginx streams it works, but with streams I am limited to just SSH and cannot use locations with http web sites. I want to mix this by using this plugin.

The web site with proxy_pass works fine, but I cannot connect to SSH:
HTTP return code: 502 Bad Gateway

It even reports for some few seconds on execution in terminal:
Via public-address:80 -> remote-address-behing-proxy:22

Any idea?

Connection timed out errors

I'm getting:

2019/01/17 21:38:32 [error] 4213#4213: *12683 upstream timed out (110: Connection timed out) while connecting to upstream(proxy_connect), client: 192.168.0.138, server: , request: "CONNECT registry.npmjs.org:443 HTTP/1.1", host: "registry.npmjs.org"

When trying to do an npm install through the proxy. What happens is, I will get may a hundred or so successful upstream connections, and then this error will start to appear and npm will never recover.

Both my systems are on AWS EC2. My nginx.conf file looks like this:

worker_processes 1;

error_log /var/log/nginx/error.log info;

pid /run/nginx.pid;

events {
  worker_connections 1024;
}

http {
  include mime.types;
  default_type application/octet-stream;
  sendfile on;
  keepalive_timeout 65;

  server {
    listen 3128;
    resolver 127.0.0.53 ipv6=off;
    resolver_timeout 30s;

    # Forward proxy for CONNECT requests
    proxy_connect;
    proxy_connect_allow 443;
    proxy_connect_connect_timeout 30s;
    proxy_connect_read_timeout 30s;
    proxy_connect_send_timeout 30s;

    # Forward proxy for non-CONNECT request
    location / {
      proxy_pass http://$host;
      proxy_set_header Host $host;
    }
  }
}

I found I had to add the ipv6=off or the I'd get this error almost constantly. Apparently there is a race condition with the DNS server sometimes returning an IPv6 record before the IPv4 one.

how change http head

please add command for modify http head like proxy_set_eader

[TODO] support HTTP2: make CONNECT tunnel work under H2 protocol

for how to handle CONNECT tunnel in HTTP protocol, see http://httpwg.org/specs/rfc7540.html#CONNECT
some implemention discussion in #22 (comment)

At least three points we should pay attention to:

This module only patches HTTP status line parsing function for parsing CONNECT method.
HTTP2 module has its own parsing function, which is not patched by this module.
How to notify client that this module has established tunnel (maybe return 200 establish, not sure)?
How to upgrade client HTTP2 connection to TCP stream tunnel (maybe upgrade one HTTP stream not the whole connection, not sure)?

compiling nginx fails

I receive this error when running the make command:


/home/ubuntu/nginx-1.12.1/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.c:171:7: error: ‘ngx_http_null_variable’ undeclared here (not in a function)
       ngx_http_null_variable
       ^
objs/Makefile:1765: recipe for target 'objs/addon/ngx_http_proxy_connect_module/ngx_http_proxy_connect_module.o' failed

I believe this is due to the most recent commit as I was able to compile it yesterday with no issues...

chobits / ngx_http_proxy_connect_module Goto Github PK

ngx_http_proxy_connect_module's Introduction

name

Table of Contents

Example

Configuration Example

Example for curl

configuration example for CONNECT request in HTTPS

example for curl (CONNECT request in https)

Example for browser

Example for Basic Authentication

Example for proxying WebSocket

Install

Select patch

Build nginx

Build as a dynamic module

Build OpenResty

Test Suite

Error Log

Directive

proxy_connect

proxy_connect_allow

proxy_connect_connect_timeout

proxy_connect_data_timeout

proxy_connect_read_timeout

proxy_connect_send_timeout

proxy_connect_address

proxy_connect_bind

proxy_connect_response

Variables

$connect_host

$connect_port

$connect_addr

$proxy_connect_connect_timeout

$proxy_connect_data_timeout

$proxy_connect_read_timeout

$proxy_connect_send_timeout

$proxy_connect_resolve_time

$proxy_connect_connect_time

$proxy_connect_first_byte_time

$proxy_connect_response

Compatibility

Nginx Compatibility

OpenResty Compatibility

Tengine Compatibility

FAQ

Known Issues

See Also

Author

LICENSE

ngx_http_proxy_connect_module's People

Contributors

Stargazers

Watchers

Forkers

ngx_http_proxy_connect_module's Issues

reproduce

Recommend Projects

Recommend Topics

Recommend Org