Proxy HTTPS CONNECT
UzverNumber47 opened this issue · comments
If I understand correctly, right now if you configure server like this:
listen 8443 ssl;
server_name localhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate certificate.crt;
ssl_certificate_key private.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
resolver 8.8.8.8;
### connect tunnel
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_set_header Host $host;
proxy_pass https://$host;
}
Nginx will still make an httpP CONNECT request to the target server. But if the target server like firestore.googleapis.com:443
expects an httpS CONNECT request it will result in client sent plain HTTP request to HTTPS port while reading client request headers
.
The documentation says that everything should be fine if I use --proxy-insecure
for curl
. And it really helps and the connection establishes.
But I don't have this --proxy-insecure
option in my Android app. All I can configure there ishttps.proxyHost
and https.proxyPort
.
I am not good at this stuff. So please correct me if I am mistaken
server {
listen 8443 ssl;
server_name localhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate certificate.crt;
ssl_certificate_key private.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
resolver 8.8.8.8;
location / {
proxy_set_header Host $host;
proxy_pass https://$host;
proxy_ssl_server_name on; # This line is crucial for HTTPS CONNECT
proxy_ssl_verify off; # Disable SSL verification for upstream server
proxy_ssl_name $host; # Set the Server Name Indication (SNI) to the host
}
location /proxy-tunnel { # Add a location for handling CONNECT requests
proxy_pass https://$http_host$request_uri;
proxy_set_header Host $host;
proxy_ssl_server_name on; # This line is crucial for HTTPS CONNECT
proxy_ssl_verify off; # Disable SSL verification for upstream server
}
}