ngx-http-proxy-connect-module-master.tar.gz

name ==== This module provides support for [the CONNECT method request](https://tools.ietf.org/html/rfc7231#section-4.3.6). This method is mainly used to [tunnel SSL requests](https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling) through proxy servers. Table of Contents ================= * [name](#name) * [Example](#example) * [configuration example](#configuration-example) * [example for curl](#example-for-curl) * [example for browser](#example-for-browser) * [example for basic authentication](#example-for-basic-authentication) * [Install](#install) * [select patch](#select-patch) * [build nginx](#build-nginx) * [build as a dynamic module](#build-as-a-dynamic-module) * [build OpenResty](#build-openresty) * [Test Suite](#test-suite) * [Error Log](#error-log) * [Directive](#directive) * [proxy_connect](#proxy_connect) * [proxy_connect_allow](#proxy_connect_allow) * [proxy_connect_connect_timeout](#proxy_connect_connect_timeout) * [proxy_connect_read_timeout](#proxy_connect_read_timeout) * [proxy_connect_send_timeout](#proxy_connect_send_timeout) * [proxy_connect_address](#proxy_connect_address) * [proxy_connect_bind](#proxy_connect_bind) * [proxy_connect_response](#proxy_connect_response) * [Variables](#variables) * [$connect_host](#connect_host) * [$connect_port](#connect_port) * [$connect_addr](#connect_addr) * [$proxy_connect_connect_timeout](#proxy_connect_connect_timeout-1) * [$proxy_connect_read_timeout](#proxy_connect_read_timeout-1) * [$proxy_connect_send_timeout](#proxy_connect_send_timeout-1) * [$proxy_connect_resolve_time](#proxy_connect_resolve_time) * [$proxy_connect_connect_time](#proxy_connect_connect_time) * [$proxy_connect_first_byte_time](#proxy_connect_first_byte_time) * [$proxy_connect_response](#proxy_connect_response-1) * [Compatibility](#compatibility) * [Nginx Compatibility](#nginx-compatibility) * [OpenResty Compatibility](#openresty-compatibility) * [Tengine Compatibility](#tengine-compatibility) * [FAQ](#faq) * [Known Issues](#known-issues) * [See Also](#see-also) * [Author](#author) * [License](#license) Example ======= Configuration Example --------------------- ```nginx server { listen 3128; # dns resolver used by forward proxying resolver 8.8.8.8; # forward proxy for CONNECT request proxy_connect; proxy_connect_allow 443 563; proxy_connect_connect_timeout 10s; proxy_connect_read_timeout 10s; proxy_connect_send_timeout 10s; # forward proxy for non-CONNECT request location / { proxy_pass http://$host; proxy_set_header Host $host; } } ``` Example for curl ---------------- With above configuration, you can get any https website via HTTP CONNECT tunnel. A simple test with command `curl` is as following: ``` $ curl https://github.com/ -v -x 127.0.0.1:3128 * Trying 127.0.0.1... -. * Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0) | curl creates TCP connection with nginx (with proxy_connect module). * Establish HTTP proxy tunnel to github.com:443 -' > CONNECT github.com:443 HTTP/1.1 -. > Host: github.com:443 (1) | curl sends CONNECT request to create tunnel. > User-Agent: curl/7.43.0 | > Proxy-Connection: Keep-Alive -' > < HTTP/1.0 200 Connection Established .- nginx replies 200 that tunnel is established. < Proxy-agent: nginx (2)| (The client is now being proxied to the remote host. Any data sent < '- to nginx is now forwarded, unmodified, to the remote host) * Proxy replied OK to CONNECT request * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -. * Server certificate: github.com | * Server certificate: DigiCert SHA2 Extended Validation Server CA | curl sends "https://github.com" request via tunnel, * Server certificate: DigiCert High Assurance EV Root CA | proxy_connect module will proxy data to remote host (github.com). > GET / HTTP/1.1 | > Host: github.com (3) | > User-Agent: curl/7.43.0 | > Accept: */* -' > < HTTP/1.1 200 OK .- < Date: Fri, 11 Aug 2017 04:13:57 GMT | < Content-Type: text/html; charset=utf-8 | Any data received from remote host will be sent to client < Transfer-Encoding: chunked | by proxy_connect module. < Server: GitHub.com (4)| < Status: 200 OK | < Cache-Control: no-cache | < Vary: X-PJAX | ... | ... <other response headers & response body> ... | ... '- ``` The sequence diagram of above example is as following: ``` curl nginx (proxy_connect) github.com | | | (1) |-- CONNECT github.com:443 -->| | | | | | |----[ TCP connection ]--->| | | | (2) |<- HTTP/1.1 200 ---| | | Connection Established | | | | | | | ========= CONNECT tunnel has been established. =========== | | | | | | | | | [ SSL stream ] | | (3) |---[ GET / HTTP/1.1 ]----->| [ SSL stream ] | | [ Host: github.com ] |---[ GET / HTTP/1.1 ]-->. | | [ Host: github.com ] | | | | | | | | | | | | [ SSL stream ] | | [ SSL stream ] |<--[ HTTP/1.1 200 OK ]---' (4) |<--[ HTTP/1.1 200 OK ]------| [ < html page > ] | | [ < html page > ] | | | | | ``` Example for browser ------------------- You can configure your browser to use this nginx as PROXY server. * Google Chrome HTTPS PROXY SETTING: [guide & config](https://github.com/chobits/ngx_http_proxy_connect_module/issues/22#issuecomment-346941271) for how to configure this module working under SSL layer. Example for Basic Authentication -------------------------------- We can do access control on CONNECT request using nginx auth basic module. See [this guide](https://github.com/chobits/ngx_http_proxy_connect_module/issues/42#issuecomment-502985437) for more details. Install ======= Select patch ------------ * Select right pat