You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems that, proxy A received CONNECT request from C, but only established connection to B. And the following HTTPS client HELLO request sent by C to A were simply forwarded to B. However, B expected a plain HTTP request, so it couldn't recognize the binary HELLO request, and responded a plain HTTP 400 error response to A. And A simply forwarded the response to C. C treated it as an HTTPS server HELLO response and tried to parse the TLS negotiation information from the packet. Obviously it ended up with a failure.
In my opinion, issue #118 is a little different from this case. In that case, squid server (corresponding to B in our case) acts as a real server but not a proxy server. The http content is retrieved from S and decrypted on B, and then re-encrypted and sent through A to C. There is only one proxy server A in fact.
On the other hand, commenting out the proxy_connect_address line is also not the desired solution. As it seems to cause A to try to establish TCP connection with S by itself, and then forward the following packets to S directly. If DNS resolver is not configured, A will be unable to resolve the address of S. And thus unable to establish the connection, which lead to a 502 error.
The question is, is there any way for A to simply forward the CONNECT request to B and leave the connection-establishing job to the later, and to forward the following packets to B and let B forward them to S?
The text was updated successfully, but these errors were encountered:
I am also trying to connect: [Client] -> [Nginx forward proxy + Cache] -> [Proxy Server].
Unfortunately stream.server as upstream not support cache ability.
Is it possible to specify: proxy_pass http://external_forward_proxy_upstream;.
Thanks.
For example we have a client
C
, an HTTPS siteS
, and two nginx proxy serversA
andB
:C
sends HTTPS request to proxy serverA
.A
proxies the request through another proxy serverB
.B
proxies the request to the real site serverS
.I expect the network topo should be like this:
So I configured like the following:
Proxy
A
(192.168.130.7 a.proxy.example.com):Proxy
B
(192.168.130.1 b.proxy.example.com):Then test on client
C
like this:But the request failed:
While, directly call server through proxy
B
is OK:It seems like the actually network flow is like this:
It seems that, proxy
A
received CONNECT request fromC
, but only established connection toB
. And the following HTTPS client HELLO request sent byC
toA
were simply forwarded toB
. However,B
expected a plain HTTP request, so it couldn't recognize the binary HELLO request, and responded a plain HTTP 400 error response toA
. AndA
simply forwarded the response toC
.C
treated it as an HTTPS server HELLO response and tried to parse the TLS negotiation information from the packet. Obviously it ended up with a failure.On the other hand, commenting out the
proxy_connect_address
line is also not the desired solution. As it seems to causeA
to try to establish TCP connection withS
by itself, and then forward the following packets toS
directly. If DNS resolver is not configured,A
will be unable to resolve the address ofS
. And thus unable to establish the connection, which lead to a 502 error.The question is, is there any way for
A
to simply forward the CONNECT request toB
and leave the connection-establishing job to the later, and to forward the following packets toB
and letB
forward them toS
?The text was updated successfully, but these errors were encountered: