chobits/ngx_http_proxy_connect_module

Client access to https request error 400, but Nginx server curl is OK?

swzaaaaaaa opened this issue · 5 comments

Error message:
View access.log, and the status code is 400;
Complete log information:
request_method="-" request_uri="-" request_protocol="-" host="localhost" status=400 upadd="-" uri-
Request channel:
windows ----> linux(nginx) ---->https://baidu.com

Note:
The hosts file in windows is configured with a domain name(baidu.com) and a linux ip address.
Direct access to http is available in windows : windows ----> linux(nginx) ---->http://baidu.com
curl https://baidu.com/ -v -x 127.0.0.1:443 in linux、curl https//baidu.com/ -v -x 127.0.0.1:443 all normal access!

Environment(linux):
Nginx1.21.5
patch:[proxy_connect_rewrite_102101.patch]

Nginx.conf:

  server {      
     listen                         443; 
     # dns resolver used by forward proxying    
    resolver                       8.8.8.8 ipv6=off;        
    # forward proxy for CONNECT request      
    proxy_connect;      
    proxy_connect_allow            443 563;  
    proxy_connect_connect_timeout  10s;
    proxy_connect_data_timeout     10s;      
    # forward proxy for non-CONNECT request     
     location / {          
           proxy_pass http://$host;         
           proxy_set_header Host $host;     
    } 
 }

request_method="-" request_uri="-" request_protocol="-" host="localhost" status=400 upadd="-" uri-
Request channel:

This usually happens when an HTTPS request directly accesses port 443 (as per your configuration, SSL protocol is not enabled), so Nginx considers this request unresolvable and logs a 400 error.

Direct access to http is available in windows : windows ----> linux(nginx) ---->http://baidu.com/

http request worked because ur "listen 443;" configuration had not enabled SSL protocol.

curl https://baidu.com/ -v -x 127.0.0.1:443 in linux、curl https//baidu.com/ -v -x 127.0.0.1:443 all normal access!

If this request can work, this is as expected.

When using the -x option with the curl command for an SSL link starting with https://, a CONNECT tunnel will be established and handled by the proxy_connect module.

Hello, I would like to ask if this problem can be solved if I do not configure the certificate on nginx? Or do I have to configure ssl and certificates to transfer over https?

Whether configuring SSL is based on your requirement and which type of client you want to support.

For example with curl command,

  • if you use the command curl https://baidu.com -x ip:port, you need not to configure nginx with SSL enabled.
  • if you use the command curl https://baidu.com -x https://ip:port --proxy-insecure, you need to configure SSL to be enabled.

For more details and examples, please see the example charpter of our doc: https://github.com/chobits/ngx_http_proxy_connect_module#table-of-contents

image

Hello, I am stuck on this error - kindly help!
curl https://dl.boxcloud.com/d/1/21bytes.txt/download -x 172.18.29.108:443 -v

  • Trying 172.18.29.108:443...
  • TCP_NODELAY set
  • Connected to 172.18.29.108 (172.18.29.108) port 443 (#0)
  • allocate connect buffer!
  • Establish HTTP proxy tunnel to dl.boxcloud.com:443

CONNECT dl.boxcloud.com:443 HTTP/1.1
Host: dl.boxcloud.com:443
User-Agent: curl/7.68.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 400 Bad Request
< Server: nginx/1.25.0
< Date: Fri, 16 Jun 2023 12:39:52 GMT
< Content-Type: text/html
< Content-Length: 255
< Connection: close
<

  • Received HTTP code 400 from proxy after CONNECT
  • CONNECT phase completed!
  • Closing connection 0
    curl: (56) Received HTTP code 400 from proxy after CONNECT

I am able to make the same request on port 80 (http) but not on 443(https)
curl http://dl.boxcloud.com/d/1/21bytes.txt/download -x 172.18.29.108:80 -v
172.18.29.108 - - [16/Jun/2023:12:11:52 +0000] "GET http://dl.boxcloud.com/d/1/21bytes.txt/download HTTP/1.1" 200 20 "-" "curl/7.68.0" 0.002 0.001 .

Here is my nginx conf-
upstream box_download {

keepalive 64;
server har_box_fs_1:8080;
}
server {

sendfile on;
tcp_nopush off;
output_buffers 1 4096k;
keepalive_timeout 65;
tcp_nodelay on;

listen 443 ssl;

ssl_certificate /etc/nginx/certs/box/box.pem;
ssl_certificate_key /etc/nginx/certs/box/box.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

server_name dl.boxcloud.com;

allow all;

proxy_connect;
proxy_connect_allow 443;
proxy_connect_connect_timeout 10s;
proxy_connect_data_timeout 10s;

client_max_body_size 2G;
client_body_buffer_size 32k;

resolver 192.168.80.11;

proxy_read_timeout 1000;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffer_size 4096k;
proxy_buffers 8 4096k;
large_client_header_buffers 4 16k;
proxy_busy_buffers_size 4096k;
#proxy_buffering off;

location ~ ^/d/1/[0-9a-z]+/download$ {

proxy_pass http://box_download;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Host $host;
#proxy_set_header Host $proxy_host;
proxy_ssl_server_name on;

}

location / {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $proxy_host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host  $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_cache cache;

add_header X-Proxy-Cache $upstream_cache_status;
proxy_pass http://box_download;
proxy_ssl_server_name on;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;

}
}

Can you please help what is is that is causing this error and what am I missing here!

Hello, I am stuck on this error - kindly help! curl https://dl.boxcloud.com/d/1/21bytes.txt/download -x 172.18.29.108:443 -v

  • Trying 172.18.29.108:443...
  • TCP_NODELAY set
  • Connected to 172.18.29.108 (172.18.29.108) port 443 (#0)
  • allocate connect buffer!
  • Establish HTTP proxy tunnel to dl.boxcloud.com:443

CONNECT dl.boxcloud.com:443 HTTP/1.1
Host: dl.boxcloud.com:443
User-Agent: curl/7.68.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 400 Bad Request < Server: nginx/1.25.0 < Date: Fri, 16 Jun 2023 12:39:52 GMT < Content-Type: text/html < Content-Length: 255 < Connection: close <

  • Received HTTP code 400 from proxy after CONNECT
  • CONNECT phase completed!
  • Closing connection 0
    curl: (56) Received HTTP code 400 from proxy after CONNECT

I am able to make the same request on port 80 (http) but not on 443(https) curl http://dl.boxcloud.com/d/1/21bytes.txt/download -x 172.18.29.108:80 -v 172.18.29.108 - - [16/Jun/2023:12:11:52 +0000] "GET http://dl.boxcloud.com/d/1/21bytes.txt/download HTTP/1.1" 200 20 "-" "curl/7.68.0" 0.002 0.001 .

Here is my nginx conf- upstream box_download {

keepalive 64; server har_box_fs_1:8080; } server {

sendfile on; tcp_nopush off; output_buffers 1 4096k; keepalive_timeout 65; tcp_nodelay on;

listen 443 ssl;

ssl_certificate /etc/nginx/certs/box/box.pem; ssl_certificate_key /etc/nginx/certs/box/box.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

server_name dl.boxcloud.com;

allow all;

proxy_connect; proxy_connect_allow 443; proxy_connect_connect_timeout 10s; proxy_connect_data_timeout 10s;

client_max_body_size 2G; client_body_buffer_size 32k;

resolver 192.168.80.11;

proxy_read_timeout 1000; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_buffer_size 4096k; proxy_buffers 8 4096k; large_client_header_buffers 4 16k; proxy_busy_buffers_size 4096k; #proxy_buffering off;

location ~ ^/d/1/[0-9a-z]+/download$ {

proxy_pass http://box_download;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Host $host;
#proxy_set_header Host $proxy_host;
proxy_ssl_server_name on;

}

location / {

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $proxy_host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host  $host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_cache cache;

add_header X-Proxy-Cache $upstream_cache_status;
proxy_pass http://box_download;
proxy_ssl_server_name on;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;

} }

Can you please help what is is that is causing this error and what am I missing here!

replied in ur new opened issue.