name
====
This module provides support for [the CONNECT method request](https://tools.ietf.org/html/rfc7231#section-4.3.6).
This method is mainly used to [tunnel SSL requests](https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling) through proxy servers.
Table of Contents
=================
* [name](#name)
* [Example](#example)
* [configuration example](#configuration-example)
* [example for curl](#example-for-curl)
* [example for browser](#example-for-browser)
* [example for basic authentication](#example-for-basic-authentication)
* [Install](#install)
* [select patch](#select-patch)
* [build nginx](#build-nginx)
* [build as a dynamic module](#build-as-a-dynamic-module)
* [build OpenResty](#build-openresty)
* [Test Suite](#test-suite)
* [Error Log](#error-log)
* [Directive](#directive)
* [proxy_connect](#proxy_connect)
* [proxy_connect_allow](#proxy_connect_allow)
* [proxy_connect_connect_timeout](#proxy_connect_connect_timeout)
* [proxy_connect_read_timeout](#proxy_connect_read_timeout)
* [proxy_connect_send_timeout](#proxy_connect_send_timeout)
* [proxy_connect_address](#proxy_connect_address)
* [proxy_connect_bind](#proxy_connect_bind)
* [proxy_connect_response](#proxy_connect_response)
* [Variables](#variables)
* [$connect_host](#connect_host)
* [$connect_port](#connect_port)
* [$connect_addr](#connect_addr)
* [$proxy_connect_connect_timeout](#proxy_connect_connect_timeout-1)
* [$proxy_connect_read_timeout](#proxy_connect_read_timeout-1)
* [$proxy_connect_send_timeout](#proxy_connect_send_timeout-1)
* [$proxy_connect_resolve_time](#proxy_connect_resolve_time)
* [$proxy_connect_connect_time](#proxy_connect_connect_time)
* [$proxy_connect_first_byte_time](#proxy_connect_first_byte_time)
* [$proxy_connect_response](#proxy_connect_response-1)
* [Compatibility](#compatibility)
* [Nginx Compatibility](#nginx-compatibility)
* [OpenResty Compatibility](#openresty-compatibility)
* [Tengine Compatibility](#tengine-compatibility)
* [FAQ](#faq)
* [Known Issues](#known-issues)
* [See Also](#see-also)
* [Author](#author)
* [License](#license)
Example
=======
Configuration Example
---------------------
```nginx
server {
listen 3128;
# dns resolver used by forward proxying
resolver 8.8.8.8;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
```
Example for curl
----------------
With above configuration, you can get any https website via HTTP CONNECT tunnel.
A simple test with command `curl` is as following:
```
$ curl https://github.com/ -v -x 127.0.0.1:3128
* Trying 127.0.0.1... -.
* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0) | curl creates TCP connection with nginx (with proxy_connect module).
* Establish HTTP proxy tunnel to github.com:443 -'
> CONNECT github.com:443 HTTP/1.1 -.
> Host: github.com:443 (1) | curl sends CONNECT request to create tunnel.
> User-Agent: curl/7.43.0 |
> Proxy-Connection: Keep-Alive -'
>
< HTTP/1.0 200 Connection Established .- nginx replies 200 that tunnel is established.
< Proxy-agent: nginx (2)| (The client is now being proxied to the remote host. Any data sent
< '- to nginx is now forwarded, unmodified, to the remote host)
* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -.
* Server certificate: github.com |
* Server certificate: DigiCert SHA2 Extended Validation Server CA | curl sends "https://github.com" request via tunnel,
* Server certificate: DigiCert High Assurance EV Root CA | proxy_connect module will proxy data to remote host (github.com).
> GET / HTTP/1.1 |
> Host: github.com (3) |
> User-Agent: curl/7.43.0 |
> Accept: */* -'
>
< HTTP/1.1 200 OK .-
< Date: Fri, 11 Aug 2017 04:13:57 GMT |
< Content-Type: text/html; charset=utf-8 | Any data received from remote host will be sent to client
< Transfer-Encoding: chunked | by proxy_connect module.
< Server: GitHub.com (4)|
< Status: 200 OK |
< Cache-Control: no-cache |
< Vary: X-PJAX |
... |
... <other response headers & response body> ... |
... '-
```
The sequence diagram of above example is as following:
```
curl nginx (proxy_connect) github.com
| | |
(1) |-- CONNECT github.com:443 -->| |
| | |
| |----[ TCP connection ]--->|
| | |
(2) |<- HTTP/1.1 200 ---| |
| Connection Established | |
| | |
| |
========= CONNECT tunnel has been established. ===========
| |
| | |
| | |
| [ SSL stream ] | |
(3) |---[ GET / HTTP/1.1 ]----->| [ SSL stream ] |
| [ Host: github.com ] |---[ GET / HTTP/1.1 ]-->.
| | [ Host: github.com ] |
| | |
| | |
| | |
| | [ SSL stream ] |
| [ SSL stream ] |<--[ HTTP/1.1 200 OK ]---'
(4) |<--[ HTTP/1.1 200 OK ]------| [ < html page > ] |
| [ < html page > ] | |
| | |
```
Example for browser
-------------------
You can configure your browser to use this nginx as PROXY server.
* Google Chrome HTTPS PROXY SETTING: [guide & config](https://github.com/chobits/ngx_http_proxy_connect_module/issues/22#issuecomment-346941271) for how to configure this module working under SSL layer.
Example for Basic Authentication
--------------------------------
We can do access control on CONNECT request using nginx auth basic module.
See [this guide](https://github.com/chobits/ngx_http_proxy_connect_module/issues/42#issuecomment-502985437) for more details.
Install
=======
Select patch
------------
* Select right pat