This module provides support for the CONNECT HTTP method after Tengine version 2.3.0.
This method is mainly used to tunnel SSL requests through proxy servers.
Example
Configuration Example
server { |
Example for curl
With above configuration, you can get any https website via HTTP CONNECT tunnel.
A simple test with command curl
is as following:
$ curl https://github.com/ -v -x 127.0.0.1:3128 |
The sequence diagram of above example is as following:
curl nginx (proxy_connect) github.com |
Install
- Build Tengine with this module from source:
$ ./configure --add-module=./modules/ngx_http_proxy_connect_module |
Directive
proxy_connect
Syntax: proxy_connect
Default: none
Context: server
Enable "CONNECT" HTTP method support.
proxy_connect_allow
Syntax: proxy_connect_allow all | [port ...] | [port-range ...]
Default: 443 563
Context: server
This directive specifies a list of port numbers or ranges to which the proxy CONNECT method may connect.
By default, only the default https port (443) and the default snews port (563) are enabled.
Using this directive will override this default and allow connections to the listed ports only.
The value all
will allow all ports to proxy.
The value port
will allow specified port to proxy.
The value port-range
will allow specified range of port to proxy, for example:
proxy_connect_allow 1000-2000 3000-4000; # allow range of port from 1000 to 2000, from 3000 to 4000. |
proxy_connect_connect_timeout
Syntax: proxy_connect_connect_timeout time
Default: none
Context: server
Defines a timeout for establishing a connection with a proxied server.
proxy_connect_read_timeout
Syntax: proxy_connect_read_timeout time
Default: 60s
Context: server
Defines a timeout for reading a response from the proxied server.
The timeout is set only between two successive read operations, not for the transmission of the whole response.
If the proxied server does not transmit anything within this time, the connection is closed.
proxy_connect_send_timeout
Syntax: proxy_connect_send_timeout time
Default: 60s
Context: server
Sets a timeout for transmitting a request to the proxied server.
The timeout is set only between two successive write operations, not for the transmission of the whole request.
If the proxied server does not receive anything within this time, the connection is closed.
proxy_connect_address
Syntax: proxy_connect_address address | off
Default: none
Context: server
Specifiy an IP address of the proxied server. The address can contain variables.
The special value off is equal to none, which uses the IP address resolved from host name of CONNECT request line.
proxy_connect_bind
Syntax: proxy_connect_bind address [transparent] | off
Default: none
Context: server
Makes outgoing connections to a proxied server originate from the specified local IP address with an optional port.
Parameter value can contain variables. The special value off is equal to none, which allows the system to auto-assign the local IP address and port.
The transparent parameter allows outgoing connections to a proxied server originate from a non-local IP address, for example, from a real IP address of a client:
proxy_connect_bind $remote_addr transparent; |
In order for this parameter to work, it is usually necessary to run nginx worker processes with the superuser privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server.
Variables
$connect_host
host name from CONNECT request line.
$connect_port
port from CONNECT request line.
$connect_addr
IP address and port of the remote host, e.g. "192.168.1.5:12345".
IP address is resolved from host name of CONNECT request line.
$proxy_connect_connect_timeout
Get or set timeout of proxy_connect_connect_timeout
directive.
For example:
# Set default value |
$proxy_connect_read_timeout
Get or set a timeout of proxy_connect_read_timeout
directive.
$proxy_connect_send_timeout
Get or set a timeout of proxy_connect_send_timeout
directive.
Known Issues
- In HTTP/2, the CONNECT method is not supported. It only supports the CONNECT method request in HTTP/1.x and HTTPS.