本文为joshua317原创文章,转载请注明:转载自joshua317博客 nginx正向代理,支持https模块:ngx_http_proxy_connect_module - joshua317的博客
文档地址:https://github.com/chobits/ngx_http_proxy_connect_module#proxy_connect
文档内容
name
This module provides support for the ConNECT method request. This method is mainly used to tunnel SSL requests through proxy servers.
Table of Contents
nameExample
configuration exampleexample for curlexample for browserexample for basic authenticationInstall
select patchbuild nginx
build as a dynamic modulebuild OpenRestyTest SuiteError LogDirective
proxy_connectproxy_connect_allowproxy_connect_connect_timeoutproxy_connect_read_timeoutproxy_connect_send_timeoutproxy_connect_addressproxy_connect_bindproxy_connect_responseVariables
$connect_host$connect_port$connect_addr$proxy_connect_connect_timeout$proxy_connect_read_timeout$proxy_connect_send_timeout$proxy_connect_resolve_time$proxy_connect_connect_time$proxy_connect_responseCompatibility
Nginx CompatibilityOpenResty CompatibilityTengine CompatibilityFAQKnown IssuesSee AlsoAuthorLicense
Example
Configuration Example
server {
listen 3128;
# dns resolver used by forward proxying
resolver 8.8.8.8;
# forward proxy for ConNECT request
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-ConNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
server {
listen 3128;
# dns resolver used by forward proxying
resolver 8.8.8.8;
# forward proxy for ConNECT request
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-ConNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
nginx
Copy
Example for curl
With above configuration, you can get any https website via HTTP ConNECT tunnel. A simple test with command curl is as following:
$ curl https://github.com/ -v -x 127.0.0.1:3128 * Trying 127.0.0.1... -. * Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0) | curl creates TCP connection with nginx (with proxy_connect module). * Establish HTTP proxy tunnel to github.com:443 -' > ConNECT github.com:443 HTTP/1.1 -. > Host: github.com:443 (1) | curl sends ConNECT request to create tunnel. > User-Agent: curl/7.43.0 | > Proxy-Connection: Keep-Alive -' > < HTTP/1.0 200 Connection Established .- nginx replies 200 that tunnel is established. < Proxy-agent: nginx (2)| (The client is now being proxied to the remote host. Any data sent < '- to nginx is now forwarded, unmodified, to the remote host) * Proxy replied OK to ConNECT request * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -. * Server certificate: github.com | * Server certificate: DigiCert SHA2 Extended Validation Server CA | curl sends "https://github.com" request via tunnel, * Server certificate: DigiCert High Assurance EV Root CA | proxy_connect module will proxy data to remote host (github.com). > GET / HTTP/1.1 | > Host: github.com (3) | > User-Agent: curl/7.43.0 | > Accept: */* -' > < HTTP/1.1 200 OK .- < Date: Fri, 11 Aug 2017 04:13:57 GMT | < Content-Type: text/html; charset=utf-8 | Any data received from remote host will be sent to client < Transfer-Encoding: chunked | by proxy_connect module. < Server: GitHub.com (4)| < Status: 200 OK | < Cache-Control: no-cache | < Vary: X-PJAX | ... | ...... | ... '-
The sequence diagram of above example is as following:
curl nginx (proxy_connect) github.com
| | |
(1) |-- ConNECT github.com:443 -->| |
| | |
| |----[ TCP connection ]--->|
| | |
(2) |<- HTTP/1.1 200 ---| |
| Connection Established | |
| | |
| |
========= ConNECT tunnel has been established. ===========
| |
| | |
| | |
| [ SSL stream ] | |
(3) |---[ GET / HTTP/1.1 ]----->| [ SSL stream ] |
| [ Host: github.com ] |---[ GET / HTTP/1.1 ]-->.
| | [ Host: github.com ] |
| | |
| | |
| | |
| | [ SSL stream ] |
| [ SSL stream ] |<--[ HTTP/1.1 200 OK ]---'
(4) |<--[ HTTP/1.1 200 OK ]------| [ < html page > ] |
| [ < html page > ] | |
| | |
Example for browser
You can configure your browser to use this nginx as PROXY server.
Google Chrome HTTPS PROXY SETTING: guide & config for how to configure this module working under SSL layer.
Example for Basic Authentication
We can do access control on ConNECT request using nginx auth basic module.
See this guide for more details.
Install
Select patch
Select right patch for building:
| nginx version | enable REWRITE phase | patch |
|---|---|---|
| 1.4.x ~ 1.12.x | NO | proxy_connect.patch |
| 1.4.x ~ 1.12.x | YES | proxy_connect_rewrite.patch |
| 1.13.x ~ 1.14.x | NO | proxy_connect_1014.patch |
| 1.13.x ~ 1.14.x | YES | proxy_connect_rewrite_1014.patch |
| 1.15.2 | YES | proxy_connect_rewrite_1015.patch |
| 1.15.4 ~ 1.16.x | YES | proxy_connect_rewrite_101504.patch |
| 1.17.x ~ 1.18.0 | YES | proxy_connect_rewrite_1018.patch |
| 1.19.x ~ 1.21.0 | YES | proxy_connect_rewrite_1018.patch |
| 1.21.1 | YES | proxy_connect_rewrite_102101.patch |
| OpenResty version | enable REWRITE phase | patch |
|---|---|---|
| 1.13.6 | NO | proxy_connect_1014.patch |
| 1.13.6 | YES | proxy_connect_rewrite_1014.patch |
| 1.15.8 | YES | proxy_connect_rewrite_101504.patch |
| 1.17.8 | YES | proxy_connect_rewrite_1018.patch |
| 1.19.3 | YES | proxy_connect_rewrite_1018.patch |
| 1.21.1 | YES | proxy_connect_rewrite_102101.patch |
proxy_connect_ Build nginx with this module from source:
Bash Copy Starting from nginx 1.9.11, you can also compile this module as a dynamic module, by using the --add-dynamic-module=PATH option instead of --add-module=PATH on the ./configure command line.
Bash Copy And then you can explicitly load the module in your nginx.conf via the load_module directive, for example,
Build OpenResty with this module from source:
Bash Copy To run the whole test suite:
Bash Copy This module logs its own error message beginning with "proxy_connect:" string. The proxy_connect module tries to establish tunnel connection with backend server, but the TCP connection timeout occurs.
Syntax: proxy_connect Enable "CONNECT" HTTP method support. Syntax: proxy_connect_allow all | [port ...] | [port-range ...] This directive specifies a list of port numbers or ranges to which the proxy ConNECT method may connect. The value all will allow all ports to proxy. The value port will allow specified port to proxy. The value port-range will allow specified range of port to proxy, for example: Syntax: proxy_connect_connect_timeout time Defines a timeout for establishing a connection with a proxied server. Syntax: proxy_connect_read_timeout time Defines a timeout for reading a response from the proxied server. Syntax: proxy_connect_send_timeout time Sets a timeout for transmitting a request to the proxied server. Syntax: proxy_connect_address address | off Specifiy an IP address of the proxied server. The address can contain variables. NOTE: If using set $ Syntax: proxy_connect_bind address [transparent] | off Makes outgoing connections to a proxied server originate from the specified local IP address with an optional port. The transparent parameter allows outgoing connections to a proxied server originate from a non-local IP address, for example, from a real IP address of a client: In order for this parameter to work, it is usually necessary to run nginx worker processes with the superuser privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server. NOTE: If using set $ Syntax: proxy_connect_response ConNECT response Set the response of ConNECT request. Note that it is only used for ConNECT request, it cannot modify the data flow over ConNECT tunnel. For example: The curl command test case with above config is as following: host name from ConNECT request line. port from ConNECT request line. IP address and port of the remote host, e.g. "192.168.1.5:12345". IP address is resolved from host name of ConNECT request line. Get or set timeout of proxy_connect_connect_timeout directive. For example: nginx Copy Get or set a timeout of proxy_connect_read_timeout directive. Get or set a timeout of proxy_connect_send_timeout directive. Keeps time spent on name resolving; the time is kept in seconds with millisecond resolution. Value of "" means this module does not work on this request.Value of "-" means name resolving failed.
Keeps time spent on establishing a connection with the upstream server; the time is kept in seconds with millisecond resolution. Value of "" means this module does not work on this request.Value of "-" means name resolving or connecting failed.
Get or set the response of ConNECT request. Note that it is only used for ConNECT request, it cannot modify the data flow over ConNECT tunnel. For example: nginx Copy The variable value does not support nginx variables. You can use lua-nginx-module to construct string that contains nginx variable. For example: nginx Copy Also note that set or rewrite_by_lua* directive is run during the REWRITE phase, which is ahead of dns resolving phase. It cannot get right value of some variables, for example, $connect_addr value is nil. In such case, you should use proxy_connect_response directive instead. The latest module is compatible with the following versions of nginx: 1.19.6 (mainline version of 1.19.x ~ 1.20.x)1.18.0 (stable version of 1.18.x)1.16.1 (stable version of 1.16.x)1.14.2 (stable version of 1.14.x)1.12.1 (stable version of 1.12.x)1.10.3 (stable version of 1.10.x)1.8.1 (stable version of 1.8.x)1.6.3 (stable version of 1.6.x)1.4.7 (stable version of 1.4.x)
The latest module is compatible with the following versions of OpenResty: 1.13.6 (version: 1.13.6.2)1.15.8 (version: 1.15.8.1)1.17.8 (version: 1.17.8.2)1.19.3 (version: 1.19.3.1)
This module has been integrated into Tengine 2.3.0. Tengine ngx_http_proxy_connect_module documentationMerged pull request for Tengine 2.3.0.
See FAQ page. In HTTP/2, the ConNECT method is not supported. It only supports the ConNECT method request in HTTP/1.x and HTTPS.
HTTP tunnel - WikipediaConNECT method in HTTP/1.1ConNECT method in HTTP/2
Peng Qi: original author. He contributed this module to Tengine in this pull request.Xiaochen Wang: current maintainer. Rebuild this module for nginx.
See LICENSE for details. 本文为joshua317原创文章,转载请注明:转载自joshua317博客 nginx正向代理,支持https模块:ngx_http_proxy_connect_module - joshua317的博客 Build nginx
$ wget http://nginx.org/download/nginx-1.9.2.tar.gz
$ tar -xzvf nginx-1.9.2.tar.gz
$ cd nginx-1.9.2/
$ patch -p1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect.patch
$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module
$ make && make install
Build as a dynamic module
$ $ wget http://nginx.org/download/nginx-1.9.12.tar.gz
$ tar -xzvf nginx-1.9.12.tar.gz
$ cd nginx-1.9.12/
$ patch -p1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect.patch
$ ./configure --add-dynamic-module=/path/to/ngx_http_proxy_connect_module
$ make && make install
load_module /path/to/modules/ngx_http_proxy_connect_module.so;
Build OpenResty
$ wget https://openresty.org/download/openresty-1.19.3.1.tar.gz
$ tar -zxvf openresty-1.19.3.1.tar.gz
$ cd openresty-1.19.3.1
$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module
$ patch -d build/nginx-1.19.3/ -p 1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_101504.patch
$ make && make install
Test Suite
$ hg clone http://hg.nginx.org/nginx-tests/
$ export TEST_NGINX_BINARY=/path/to/nginx/binary
$ prove -v -I /path/to/nginx-tests/lib /path/to/ngx_http_proxy_connect_module/t/
Error Log
Some typical error logs are shown as following:2019/08/07 17:27:20 [error] 19257#0: *1 proxy_connect: upstream connect timed out (peer:216.58.200.4:443) while connecting to upstream, client: 127.0.0.1, server: , request: "ConNECT www.google.com:443 HTTP/1.1", host: "www.google.com:443"
Directive
proxy_connect
Default: none
Context: serverproxy_connect_allow
Default: 443 563
Context: server
By default, only the default https port (443) and the default snews port (563) are enabled.
Using this directive will override this default and allow connections to the listed ports only.proxy_connect_allow 1000-2000 3000-4000; # allow range of port from 1000 to 2000, from 3000 to 4000.
proxy_connect_connect_timeout
Default: none
Context: serverproxy_connect_read_timeout
Default: 60s
Context: server
The timeout is set only between two successive read operations, not for the transmission of the whole response.
If the proxied server does not transmit anything within this time, the connection is closed.proxy_connect_send_timeout
Default: 60s
Context: server
The timeout is set only between two successive write operations, not for the transmission of the whole request.
If the proxied server does not receive anything within this time, the connection is closed.proxy_connect_address
Default: none
Context: server
The special value off is equal to none, which uses the IP address resolved from host name of ConNECT request line.proxy_connect_bind
Default: none
Context: server
Parameter value can contain variables. The special value off is equal to none, which allows the system to auto-assign the local IP address and port.proxy_connect_bind $remote_addr transparent;
proxy_connect_response
Default: HTTP/1.1 200 Connection EstablishedrnProxy-agent: nginxrnrn
Context: serverproxy_connect_response "HTTP/1.1 200 Connection EstablishedrnProxy-agent: nginxrnX-Proxy-Connected-Addr: $connect_addrrnrn";
$ curl https://github.com -sv -x localhost:3128
* Connected to localhost (127.0.0.1) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to github.com:443
> ConNECT github.com:443 HTTP/1.1
> Host: github.com:443
> User-Agent: curl/7.64.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established --.
< Proxy-agent: nginx | custom ConNECT response
< X-Proxy-Connected-Addr: 13.229.188.59:443 --'
...
Variables
$connect_host
$connect_port
$connect_addr
$proxy_connect_connect_timeout
# Set default value
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# Overlap default value
if ($host = "test.com") {
set $proxy_connect_connect_timeout "10ms";
set $proxy_connect_read_timeout "10ms";
set $proxy_connect_send_timeout "10ms";
}
$proxy_connect_read_timeout
$proxy_connect_send_timeout
$proxy_connect_resolve_time
$proxy_connect_connect_time
$proxy_connect_response
The default response of ConNECT request is "HTTP/1.1 200 Connection EstablishedrnProxy-agent: nginxrnrn".# modify default Proxy-agent header
set $proxy_connect_response "HTTP/1.1 200rnProxy-agent: nginx/1.19rnrn";
# The ConNECT response may be "HTTP/1.1 200rnProxy-agent: nginx/1.19.6rnrn"
rewrite_by_lua '
ngx.var.proxy_connect_response =
string.format("HTTP/1.1 200\r\nProxy-agent: nginx/%s\r\n\r\n", ngx.var.nginx_version)
';
Compatibility
Nginx Compatibility
OpenResty Compatibility
Tengine Compatibility
FAQ
Known Issues
See Also
Author
LICENSE
