Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy HTTPS CONNECT #287

Open
UzverNumber47 opened this issue Oct 17, 2023 · 2 comments
Open

Proxy HTTPS CONNECT #287

UzverNumber47 opened this issue Oct 17, 2023 · 2 comments

Comments

@UzverNumber47
Copy link

If I understand correctly, right now if you configure server like this:

    listen       8443 ssl;
    server_name  localhost;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
    ssl_certificate     certificate.crt;
    ssl_certificate_key private.key;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    resolver 8.8.8.8;

    ### connect tunnel
    proxy_connect;
    proxy_connect_allow            443 563;
    proxy_connect_connect_timeout  10s;
    proxy_connect_read_timeout     10s;
    proxy_connect_send_timeout     10s;

    location / {
        proxy_set_header Host $host;
        proxy_pass https://$host;
    }

Nginx will still make an httpP CONNECT request to the target server. But if the target server like firestore.googleapis.com:443 expects an httpS CONNECT request it will result in client sent plain HTTP request to HTTPS port while reading client request headers.

The documentation says that everything should be fine if I use --proxy-insecure for curl. And it really helps and the connection establishes.

But I don't have this --proxy-insecure option in my Android app. All I can configure there ishttps.proxyHost and https.proxyPort.

I am not good at this stuff. So please correct me if I am mistaken
@ljluestc
Copy link

server {
listen 8443 ssl;
server_name localhost;

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate     certificate.crt;
ssl_certificate_key private.key;
ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;

resolver 8.8.8.8;

location / {
    proxy_set_header Host $host;
    proxy_pass https://$host;
    proxy_ssl_server_name on;  # This line is crucial for HTTPS CONNECT
    proxy_ssl_verify off;      # Disable SSL verification for upstream server
    proxy_ssl_name $host;      # Set the Server Name Indication (SNI) to the host
}

location /proxy-tunnel {  # Add a location for handling CONNECT requests
    proxy_pass https://$http_host$request_uri;
    proxy_set_header Host $host;
    proxy_ssl_server_name on;  # This line is crucial for HTTPS CONNECT
    proxy_ssl_verify off;      # Disable SSL verification for upstream server
}

}

@chobits
Copy link
Owner

chobits commented Dec 11, 2023

But I don't have this --proxy-insecure option in my Android app. All I can configure there ishttps.proxyHost and https.proxyPort.

I knew your problem, but I'm also not familar with android ecosystem, thus I could only recommend you recompile curl program in your android env.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chobits @UzverNumber47 @ljluestc