{"id":13640962,"url":"https://github.com/chobits/ngx_http_proxy_connect_module","last_synced_at":"2025-04-11T11:49:06.807Z","repository":{"id":37430888,"uuid":"53579202","full_name":"chobits/ngx_http_proxy_connect_module","owner":"chobits","description":"A forward proxy module for CONNECT request handling","archived":false,"fork":false,"pushed_at":"2024-08-18T12:49:19.000Z","size":307,"stargazers_count":1894,"open_issues_count":20,"forks_count":504,"subscribers_count":66,"default_branch":"master","last_synced_at":"2025-04-03T15:07:20.852Z","etag":null,"topics":["forward-proxy","http-tunnel","nginx","tengine"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chobits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-03-10T11:27:41.000Z","updated_at":"2025-04-02T07:56:19.000Z","dependencies_parsed_at":"2024-08-19T10:21:22.590Z","dependency_job_id":null,"html_url":"https://github.com/chobits/ngx_http_proxy_connect_module","commit_stats":{"total_commits":166,"total_committers":10,"mean_commits":16.6,"dds":0.08433734939759041,"last_synced_commit":"4f0b6c2297862148c59a0d585d6c46ccb7e58a39"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chobits%2Fngx_http_proxy_connect_module","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chobits%2Fngx_http_proxy_connect_module/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chobits%2Fngx_http_proxy_connect_module/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chobits%2Fngx_http_proxy_connect_module/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chobits","download_url":"https://codeload.github.com/chobits/ngx_http_proxy_connect_module/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248388983,"owners_count":21095491,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forward-proxy","http-tunnel","nginx","tengine"],"created_at":"2024-08-02T01:01:16.253Z","updated_at":"2025-04-11T11:49:06.775Z","avatar_url":"https://github.com/chobits.png","language":"C","readme":"name\n====\n\nThis module provides support for [the CONNECT method request](https://tools.ietf.org/html/rfc7231#section-4.3.6).\nThis method is mainly used to [tunnel SSL requests](https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling) through proxy servers.\n\nTable of Contents\n=================\n\n * [name](#name)\n * [Example](#example)\n * [configuration example](#configuration-example)\n * [example for curl](#example-for-curl)\n * [configuration example for CONNECT request in https](#configuration-example-for-connect-request-in-https)\n * [example for curl (CONNECT request in https)](#example-for-curl-connect-request-in-https)\n * [example for browser](#example-for-browser)\n * [example for basic authentication](#example-for-basic-authentication)\n * [example for proxying WebSocket](#example-for-proxying-websocket)\n * [Install](#install)\n * [select patch](#select-patch)\n * [build nginx](#build-nginx)\n * [build as a dynamic module](#build-as-a-dynamic-module)\n * [build OpenResty](#build-openresty)\n * [Test Suite](#test-suite)\n * [Error Log](#error-log)\n * [Directive](#directive)\n * [proxy_connect](#proxy_connect)\n * [proxy_connect_allow](#proxy_connect_allow)\n * [proxy_connect_connect_timeout](#proxy_connect_connect_timeout)\n * [proxy_connect_data_timeout](#proxy_connect_data_timeout)\n * [proxy_connect_read_timeout(deprecated)](#proxy_connect_read_timeout)\n * [proxy_connect_send_timeout(deprecated)](#proxy_connect_send_timeout)\n * [proxy_connect_address](#proxy_connect_address)\n * [proxy_connect_bind](#proxy_connect_bind)\n * [proxy_connect_response](#proxy_connect_response)\n * [Variables](#variables)\n * [$connect_host](#connect_host)\n * [$connect_port](#connect_port)\n * [$connect_addr](#connect_addr)\n * [$proxy_connect_connect_timeout](#proxy_connect_connect_timeout-1)\n * [$proxy_connect_data_timeout](#proxy_connect_data_timeout-1)\n * [$proxy_connect_read_timeout(deprecated)](#proxy_connect_read_timeout-1)\n * [$proxy_connect_send_timeout(deprecated)](#proxy_connect_send_timeout-1)\n * [$proxy_connect_resolve_time](#proxy_connect_resolve_time)\n * [$proxy_connect_connect_time](#proxy_connect_connect_time)\n * [$proxy_connect_first_byte_time](#proxy_connect_first_byte_time)\n * [$proxy_connect_response](#proxy_connect_response-1)\n * [Compatibility](#compatibility)\n * [Nginx Compatibility](#nginx-compatibility)\n * [OpenResty Compatibility](#openresty-compatibility)\n * [Tengine Compatibility](#tengine-compatibility)\n * [FAQ](#faq)\n * [Known Issues](#known-issues)\n * [See Also](#see-also)\n * [Author](#author)\n * [License](#license)\n\nExample\n=======\n\nConfiguration Example\n---------------------\n\n```nginx\nserver {\n listen 3128;\n\n # dns resolver used by forward proxying\n resolver 8.8.8.8;\n\n # forward proxy for CONNECT requests\n proxy_connect;\n proxy_connect_allow 443 563;\n proxy_connect_connect_timeout 10s;\n proxy_connect_data_timeout 10s;\n\n # defined by yourself for non-CONNECT requests\n # Example: reverse proxy for non-CONNECT requests\n location / {\n proxy_pass http://$host;\n proxy_set_header Host $host;\n }\n}\n```\n\n* The `resolver` directive MUST be configured globally in `server {}` block (or `http {}` block).\n* Any `location {}` block, `upstream {}` block and any other standard backend/upstream directives, such as `proxy_pass`, do not impact the functionality of this module. (The proxy_connect module only executes the logic for requests that use the CONNECT method and that have a data flow under this tunnel.)\n * If you dont want to handle non-CONNECT requests, you can modify `location {}` block as following:\n ```\n location / {\n return 403 \"Non-CONNECT requests are forbidden\";\n }\n ```\n\nExample for curl\n----------------\n\nWith above configuration([configuration example](#configuration-example)\n), you can get any https website via HTTP CONNECT tunnel. A simple test with command `curl` is as following:\n\n```\n$ curl https://github.com/ -v -x 127.0.0.1:3128\n* Trying 127.0.0.1... -.\n* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0) | curl creates TCP connection with nginx (with proxy_connect module).\n* Establish HTTP proxy tunnel to github.com:443 -'\n\u003e CONNECT github.com:443 HTTP/1.1 -.\n\u003e Host: github.com:443 (1) | curl sends CONNECT request to create tunnel.\n\u003e User-Agent: curl/7.43.0 |\n\u003e Proxy-Connection: Keep-Alive -'\n\u003e\n\u003c HTTP/1.0 200 Connection Established .- nginx replies 200 that tunnel is established.\n\u003c Proxy-agent: nginx (2)| (The client is now being proxied to the remote host. Any data sent\n\u003c '- to nginx is now forwarded, unmodified, to the remote host)\n\n* Proxy replied OK to CONNECT request\n* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -.\n* Server certificate: github.com |\n* Server certificate: DigiCert SHA2 Extended Validation Server CA | curl sends \"https://github.com\" request via tunnel,\n* Server certificate: DigiCert High Assurance EV Root CA | proxy_connect module will proxy data to remote host (github.com).\n\u003e GET / HTTP/1.1 |\n\u003e Host: github.com (3) |\n\u003e User-Agent: curl/7.43.0 |\n\u003e Accept: */* -'\n\u003e\n\u003c HTTP/1.1 200 OK .-\n\u003c Date: Fri, 11 Aug 2017 04:13:57 GMT |\n\u003c Content-Type: text/html; charset=utf-8 | Any data received from remote host will be sent to client\n\u003c Transfer-Encoding: chunked | by proxy_connect module.\n\u003c Server: GitHub.com (4)|\n\u003c Status: 200 OK |\n\u003c Cache-Control: no-cache |\n\u003c Vary: X-PJAX |\n... |\n... \u003cother response headers \u0026 response body\u003e ... |\n... '-\n```\n\nThe sequence diagram of above example is as following:\n\n```\n curl nginx (proxy_connect) github.com\n | | |\n(1) |-- CONNECT github.com:443 --\u003e| |\n | | |\n | |----[ TCP connection ]---\u003e|\n | | |\n(2) |\u003c- HTTP/1.1 200 ---| |\n | Connection Established | |\n | | |\n | |\n ========= CONNECT tunnel has been established. ===========\n | |\n | | |\n | | |\n | [ SSL stream ] | |\n(3) |---[ GET / HTTP/1.1 ]-----\u003e| [ SSL stream ] |\n | [ Host: github.com ] |---[ GET / HTTP/1.1 ]--\u003e.\n | | [ Host: github.com ] |\n | | |\n | | |\n | | |\n | | [ SSL stream ] |\n | [ SSL stream ] |\u003c--[ HTTP/1.1 200 OK ]---'\n(4) |\u003c--[ HTTP/1.1 200 OK ]------| [ \u003c html page \u003e ] |\n | [ \u003c html page \u003e ] | |\n | | |\n```\n\n\nconfiguration example for CONNECT request in HTTPS\n--------------------------------------------------\n\n```nginx\nserver {\n listen 3128 ssl;\n\n # self signed certificate generated via openssl command\n ssl_certificate_key /path/to/server.key;\n ssl_certificate /path/to/server.crt;\n ssl_session_cache shared:SSL:1m;\n\n # dns resolver used by forward proxying\n resolver 8.8.8.8;\n\n # forward proxy for CONNECT request\n proxy_connect;\n proxy_connect_allow 443 563;\n proxy_connect_connect_timeout 10s;\n proxy_connect_data_timeout 10s;\n\n # defined by yourself for non-CONNECT request\n # Example: reverse proxy for non-CONNECT requests\n location / {\n proxy_pass http://$host;\n proxy_set_header Host $host;\n }\n}\n```\n\nexample for curl (CONNECT request in https)\n-------------------------------------------\n\n\nWith above configuration([configuration example for CONNECT request in https](#configuration-example-for-connect-request-in-https)), you can get any https website via HTTPS CONNECT tunnel(CONNECT request in https). A simple test with command `curl` is as following:\n\nTips on using curl command:\n\n* `-x https://...` makes curl send CONNECT request in https.\n* `--proxy-insecure` disables ssl signature verification for ssl connection established with nginx proxy_connect server(`https://localhost:3128`), but it does not disable verification with proxied backend server(`https://nginx.org` in the example below).\n * If you want to disable signature verfication with proxied backend server, you can use `-k` option.\n\n\u003cdetails\u003e\u003csummary\u003eoutput of curl command :point_left: \u003c/summary\u003e\n\u003cp\u003e\n\n```\n$ curl https://nginx.org/ -sv -o/dev/null -x https://localhost:3128 --proxy-insecure\n* Trying 127.0.0.1:3128...\n* TCP_NODELAY set\n* Connected to localhost (127.0.0.1) port 3128 (#0)\n* ALPN, offering http/1.1\n* successfully set certificate verify locations:\n* CAfile: /etc/ssl/certs/ca-certificates.crt\n CApath: /etc/ssl/certs\n} [5 bytes data]\n* TLSv1.3 (OUT), TLS handshake, Client hello (1):\n} [512 bytes data]\n* TLSv1.3 (IN), TLS handshake, Server hello (2):\n{ [112 bytes data]\n* TLSv1.2 (IN), TLS handshake, Certificate (11):\n{ [799 bytes data]\n* TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n{ [300 bytes data]\n* TLSv1.2 (IN), TLS handshake, Server finished (14):\n{ [4 bytes data]\n* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n} [37 bytes data]\n* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n} [1 bytes data]\n* TLSv1.2 (OUT), TLS handshake, Finished (20):\n} [16 bytes data]\n* TLSv1.2 (IN), TLS handshake, Finished (20):\n{ [16 bytes data]\n* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n* ALPN, server accepted to use http/1.1\n* Proxy certificate:\n* subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd\n* start date: Nov 25 08:36:38 2022 GMT\n* expire date: Nov 25 08:36:38 2023 GMT\n* issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd\n* SSL certificate verify result: self signed certificate (18), continuing anyway.\n* allocate connect buffer!\n* Establish HTTP proxy tunnel to nginx.org:443\n} [5 bytes data]\n\u003e CONNECT nginx.org:443 HTTP/1.1\n\u003e Host: nginx.org:443\n\u003e User-Agent: curl/7.68.0\n\u003e Proxy-Connection: Keep-Alive\n\u003e\n{ [5 bytes data]\n\u003c HTTP/1.1 200 Connection Established\n\u003c Proxy-agent: nginx\n\u003c\n* Proxy replied 200 to CONNECT request\n* CONNECT phase completed!\n* ALPN, offering h2\n* ALPN, offering http/1.1\n* successfully set certificate verify locations:\n* CAfile: /etc/ssl/certs/ca-certificates.crt\n CApath: /etc/ssl/certs\n} [5 bytes data]\n* TLSv1.3 (OUT), TLS handshake, Client hello (1):\n} [512 bytes data]\n* CONNECT phase completed!\n* CONNECT phase completed!\n{ [5 bytes data]\n* TLSv1.3 (IN), TLS handshake, Server hello (2):\n{ [80 bytes data]\n* TLSv1.2 (IN), TLS handshake, Certificate (11):\n{ [2749 bytes data]\n* TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n{ [300 bytes data]\n* TLSv1.2 (IN), TLS handshake, Server finished (14):\n{ [4 bytes data]\n* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n} [37 bytes data]\n* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n} [1 bytes data]\n* TLSv1.2 (OUT), TLS handshake, Finished (20):\n} [16 bytes data]\n* TLSv1.2 (IN), TLS handshake, Finished (20):\n{ [16 bytes data]\n* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n* ALPN, server accepted to use http/1.1\n* Server certificate:\n* subject: CN=nginx.org\n* start date: Dec 9 15:29:31 2022 GMT\n* expire date: Mar 9 15:29:30 2023 GMT\n* subjectAltName: host \"nginx.org\" matched cert's \"nginx.org\"\n* issuer: C=US; O=Let's Encrypt; CN=R3\n* SSL certificate verify ok.\n} [5 bytes data]\n\u003e GET / HTTP/1.1\n\u003e Host: nginx.org\n\u003e User-Agent: curl/7.68.0\n\u003e Accept: */*\n\u003e\n{ [5 bytes data]\n* Mark bundle as not supporting multiuse\n\u003c HTTP/1.1 200 OK\n\u003c Server: nginx/1.21.5\n\u003c Date: Mon, 06 Mar 2023 06:05:24 GMT\n\u003c Content-Type: text/html; charset=utf-8\n\u003c Content-Length: 7488\n\u003c Last-Modified: Tue, 28 Feb 2023 21:07:43 GMT\n\u003c Connection: keep-alive\n\u003c Keep-Alive: timeout=15\n\u003c ETag: \"63fe6d1f-1d40\"\n\u003c Accept-Ranges: bytes\n\u003c\n{ [7488 bytes data]\n* Connection #0 to host localhost left intact\n```\n\n\u003c/p\u003e\n\u003c/details\u003e\n\nExample for browser\n-------------------\n\nYou can configure your browser to use this nginx as PROXY server.\n\n* Google Chrome HTTPS PROXY SETTING: [guide \u0026 config](https://github.com/chobits/ngx_http_proxy_connect_module/issues/22#issuecomment-346941271) for how to configure this module working under SSL layer.\n\n\nExample for Basic Authentication\n--------------------------------\n\nWe can do access control on CONNECT request using nginx auth basic module. \nSee [this guide](https://github.com/chobits/ngx_http_proxy_connect_module/issues/42#issuecomment-502985437) for more details.\n\n\nExample for proxying WebSocket\n------------------------------\n\n* Note that nginx has its own WebSocket reverse proxy module, which is is not limited to the CONNECT tunnel, see [nginx.org doc: Nginx WebSocket proxying](https://nginx.org/en/docs/http/websocket.html) and [nginx.com blog: NGINX as a WebSocket Proxy](https://www.nginx.com/blog/websocket-nginx/).\n* This module enables the WebSocket protocol to work over the CONNECT tunnel, see https://github.com/chobits/ngx_http_proxy_connect_module/issues/267#issuecomment-1575449174\n\n\nInstall\n=======\n\nSelect patch\n------------\n\n* Select right patch for building:\n * All patch files have been included in `patch/` directory of this module. You dont need to download the patch directly from web page.\n\n| nginx version | enable REWRITE phase | patch |\n| --: | --: | --: |\n| 1.4.x ~ 1.12.x | NO | [proxy_connect.patch](patch/proxy_connect.patch) |\n| 1.4.x ~ 1.12.x | YES | [proxy_connect_rewrite.patch](patch/proxy_connect_rewrite.patch) |\n| 1.13.x ~ 1.14.x | NO | [proxy_connect_1014.patch](patch/proxy_connect_1014.patch) |\n| 1.13.x ~ 1.14.x | YES | [proxy_connect_rewrite_1014.patch](patch/proxy_connect_rewrite_1014.patch) |\n| 1.15.2 | YES | [proxy_connect_rewrite_1015.patch](patch/proxy_connect_rewrite_1015.patch) |\n| 1.15.4 ~ 1.16.x | YES | [proxy_connect_rewrite_101504.patch](patch/proxy_connect_rewrite_101504.patch) |\n| 1.17.x ~ 1.18.x | YES | [proxy_connect_rewrite_1018.patch](patch/proxy_connect_rewrite_1018.patch) |\n| 1.19.x ~ 1.21.0 | YES | [proxy_connect_rewrite_1018.patch](patch/proxy_connect_rewrite_1018.patch) |\n| 1.21.1 ~ 1.22.x | YES | [proxy_connect_rewrite_102101.patch](patch/proxy_connect_rewrite_102101.patch) |\n| 1.23.x ~ 1.24.0 | YES | [proxy_connect_rewrite_102101.patch](patch/proxy_connect_rewrite_102101.patch) |\n| 1.25.0 ~ 1.26.x | YES | [proxy_connect_rewrite_102101.patch](patch/proxy_connect_rewrite_102101.patch) |\n| 1.27.1 | YES | [proxy_connect_rewrite_102101.patch](patch/proxy_connect_rewrite_102101.patch) |\n\n| OpenResty version | enable REWRITE phase | patch |\n| --: | --: | --: |\n| 1.13.6 | NO | [proxy_connect_1014.patch](patch/proxy_connect_1014.patch) |\n| 1.13.6 | YES | [proxy_connect_rewrite_1014.patch](patch/proxy_connect_rewrite_1014.patch) |\n| 1.15.8 | YES | [proxy_connect_rewrite_101504.patch](patch/proxy_connect_rewrite_101504.patch) |\n| 1.17.8 | YES | [proxy_connect_rewrite_1018.patch](patch/proxy_connect_rewrite_1018.patch) |\n| 1.19.3 | YES | [proxy_connect_rewrite_1018.patch](patch/proxy_connect_rewrite_1018.patch) |\n| 1.21.4 | YES | [proxy_connect_rewrite_102101.patch](patch/proxy_connect_rewrite_102101.patch) |\n| 1.25.3 | YES | [proxy_connect_rewrite_102101.patch](patch/proxy_connect_rewrite_102101.patch) |\n\n\n* `proxy_connect_\u003cVERSION\u003e.patch` disables nginx REWRITE phase for CONNECT request by default, which means `if`, `set`, `rewrite_by_lua` and other REWRITE phase directives cannot be used.\n* `proxy_connect_rewrite_\u003cVERSION\u003e.patch` enables these REWRITE phase directives.\n\nBuild nginx\n-----------\n\n* Build nginx with this module from source:\n\n```bash\n$ wget http://nginx.org/download/nginx-1.9.2.tar.gz\n$ tar -xzvf nginx-1.9.2.tar.gz\n$ cd nginx-1.9.2/\n$ patch -p1 \u003c /path/to/ngx_http_proxy_connect_module/patch/proxy_connect.patch\n$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module\n$ make \u0026\u0026 make install\n```\n\nBuild as a dynamic module\n-------------------------\n\n* Starting from nginx 1.9.11, you can also compile this module as a dynamic module, by using the `--add-dynamic-module=PATH` option instead of `--add-module=PATH` on the `./configure` command line.\n\n```bash\n$ wget http://nginx.org/download/nginx-1.9.12.tar.gz\n$ tar -xzvf nginx-1.9.12.tar.gz\n$ cd nginx-1.9.12/\n$ patch -p1 \u003c /path/to/ngx_http_proxy_connect_module/patch/proxy_connect.patch\n$ ./configure --add-dynamic-module=/path/to/ngx_http_proxy_connect_module\n$ make \u0026\u0026 make install\n```\n\n* And then you can explicitly load the module in your nginx.conf via the `load_module` directive, for example,\n\n```\nload_module /path/to/modules/ngx_http_proxy_connect_module.so;\n```\n\n* :exclamation: Note that the ngx_http_proxy_connect_module.so file MUST be loaded by nginx binary that is compiled with the .so file at the same time.\n\n\nBuild OpenResty\n---------------\n\n* Build OpenResty with this module from source:\n\n```bash\n$ wget https://openresty.org/download/openresty-1.19.3.1.tar.gz\n$ tar -zxvf openresty-1.19.3.1.tar.gz\n$ cd openresty-1.19.3.1\n$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module\n$ patch -d build/nginx-1.19.3/ -p 1 \u003c /path/to/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_101504.patch\n$ make \u0026\u0026 make install\n```\n\nTest Suite\n==========\n\n* To run the whole test suite:\n\n```bash\n$ hg clone http://hg.nginx.org/nginx-tests/\n\n# If you use latest lua-nginx-module that needs lua-resty-core and\n# lua-resty-lrucache, you should add \"lua_package_path ...;\" directive\n# into nginx.conf of test cases. You can use the following command:\n#\n# $ export TEST_NGINX_GLOBALS_HTTP='lua_package_path \"/path/to/nginx/lib/lua/?.lua;;\";'\n\n$ export TEST_NGINX_BINARY=/path/to/nginx/binary\n$ prove -v -I /path/to/nginx-tests/lib /path/to/ngx_http_proxy_connect_module/t/\n```\n\n* For the complete process of building and testing this module, see:\n * workflow files: [here](https://github.com/chobits/ngx_http_proxy_connect_module/tree/master/.github/workflows)\n * runs from all workflows: [here](https://github.com/chobits/ngx_http_proxy_connect_module/actions)\n\nError Log\n=========\n\nThis module logs its own error message beginning with `\"proxy_connect:\"` string. \nSome typical error logs are shown as following:\n\n* The proxy_connect module tries to establish tunnel connection with backend server, but the TCP connection timeout occurs.\n\n```\n2019/08/07 17:27:20 [error] 19257#0: *1 proxy_connect: upstream connect timed out (peer:216.58.200.4:443) while connecting to upstream, client: 127.0.0.1, server: , request: \"CONNECT www.google.com:443 HTTP/1.1\", host: \"www.google.com:443\"\n```\n\nDirective\n=========\n\nproxy_connect\n-------------\n\nSyntax: **proxy_connect** \nDefault: `none` \nContext: `server` \n\nEnable \"CONNECT\" HTTP method support.\n\nproxy_connect_allow\n-------------------\n\nSyntax: **proxy_connect_allow `all | [port ...] | [port-range ...]`** \nDefault: `443 563` \nContext: `server` \n\nThis directive specifies a list of port numbers or ranges to which the proxy CONNECT method may connect. \nBy default, only the default https port (443) and the default snews port (563) are enabled. \nUsing this directive will override this default and allow connections to the listed ports only.\n\nThe value `all` will allow all ports to proxy.\n\nThe value `port` will allow specified port to proxy.\n\nThe value `port-range` will allow specified range of port to proxy, for example:\n\n```\nproxy_connect_allow 1000-2000 3000-4000; # allow range of port from 1000 to 2000, from 3000 to 4000.\n```\n\nproxy_connect_connect_timeout\n-----------------------------\n\nSyntax: **proxy_connect_connect_timeout `time`** \nDefault: `none` \nContext: `server` \n\nDefines a timeout for establishing a connection with a proxied server.\n\nproxy_connect_data_timeout\n--------------------------\n\nSyntax: **proxy_connect_data_timeout `time`** \nDefault: `60s` \nContext: `server` \n\nSets the timeout between two successive read or write operations on client or proxied server connections. If no data is transmitted within this time, the connection is closed.\n\nproxy_connect_read_timeout\n--------------------------\n\nSyntax: **proxy_connect_read_timeout `time`** \nDefault: `60s` \nContext: `server` \n\nDeprecated.\n\nIt has the same function as the directive `proxy_connect_data_timeout` for compatibility. You can configure only one of the directives (`proxy_connect_data_timeout` or `proxy_connect_read_timeout`).\n\nproxy_connect_send_timeout\n--------------------------\n\nSyntax: **proxy_connect_send_timeout `time`** \nDefault: `60s` \nContext: `server` \n\nDeprecated.\n\nIt has no function.\n\nproxy_connect_address\n---------------------\n\nSyntax: **proxy_connect_address `address | off`** \nDefault: `none` \nContext: `server` \n\nSpecifiy an IP address of the proxied server. The address can contain variables. \nThe special value off is equal to none, which uses the IP address resolved from host name of CONNECT request line. \n\nNOTE: If using `set $\u003cnginx variable\u003e` and `proxy_connect_address $\u003cnginx variable\u003e` together, you should use `proxy_connect_rewrite.patch` instead, see [Install](#install) for more details.\n\nproxy_connect_bind\n------------------\n\nSyntax: **proxy_connect_bind `address [transparent] | off`** \nDefault: `none` \nContext: `server` \n\nMakes outgoing connections to a proxied server originate from the specified local IP address with an optional port. \nParameter value can contain variables. The special value off is equal to none, which allows the system to auto-assign the local IP address and port.\n\nThe transparent parameter allows outgoing connections to a proxied server originate from a non-local IP address, for example, from a real IP address of a client:\n\n```\nproxy_connect_bind $remote_addr transparent;\n\n```\n\nIn order for this parameter to work, it is usually necessary to run nginx worker processes with the [superuser](http://nginx.org/en/docs/ngx_core_module.html#user) privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server.\n\nNOTE: If using `set $\u003cnginx variable\u003e` and `proxy_connect_bind $\u003cnginx variable\u003e` together, you should use `proxy_connect_rewrite.patch` instead, see [Install](#install) for more details.\n\nproxy_connect_response\n----------------------\n\nSyntax: **proxy_connect_response `CONNECT response`** \nDefault: `HTTP/1.1 200 Connection Established\\r\\nProxy-agent: nginx\\r\\n\\r\\n` \nContext: `server`\n\nSet the response of CONNECT request.\n\nNote that it is only used for CONNECT request, it cannot modify the data flow over CONNECT tunnel.\n\nFor example:\n\n```\nproxy_connect_response \"HTTP/1.1 200 Connection Established\\r\\nProxy-agent: nginx\\r\\nX-Proxy-Connected-Addr: $connect_addr\\r\\n\\r\\n\";\n\n```\n\nThe `curl` command test case with above config is as following:\n\n```\n$ curl https://github.com -sv -x localhost:3128\n* Connected to localhost (127.0.0.1) port 3128 (#0)\n* allocate connect buffer!\n* Establish HTTP proxy tunnel to github.com:443\n\u003e CONNECT github.com:443 HTTP/1.1\n\u003e Host: github.com:443\n\u003e User-Agent: curl/7.64.1\n\u003e Proxy-Connection: Keep-Alive\n\u003e\n\u003c HTTP/1.1 200 Connection Established --.\n\u003c Proxy-agent: nginx | custom CONNECT response\n\u003c X-Proxy-Connected-Addr: 13.229.188.59:443 --'\n...\n\n```\n\n\nVariables\n=========\n\n$connect_host\n-------------\n\nhost name from CONNECT request line.\n\n$connect_port\n-------------\n\nport from CONNECT request line.\n\n$connect_addr\n-------------\n\nIP address and port of the remote host, e.g. \"192.168.1.5:12345\".\nIP address is resolved from host name of CONNECT request line.\n\n$proxy_connect_connect_timeout\n------------------------------\n\nGet or set timeout of [`proxy_connect_connect_timeout` directive](#proxy_connect_connect_timeout).\n\nFor example:\n\n```nginx\n# Set default value\n\nproxy_connect_connect_timeout 10s;\nproxy_connect_data_timeout 10s;\n\n# Overlap default value\n\nif ($host = \"test.com\") {\n set $proxy_connect_connect_timeout \"10ms\";\n set $proxy_connect_data_timeout \"10ms\";\n}\n```\n\n$proxy_connect_data_timeout\n---------------------------\n\nGet or set a timeout of [`proxy_connect_data_timeout` directive](#proxy_connect_data_timeout).\n\n$proxy_connect_read_timeout\n---------------------------\n\nDeprecated. \nIt still can get or set a timeout of [`proxy_connect_data_timeout` directive](#proxy_connect_data_timeout) for compatibility.\n\n$proxy_connect_send_timeout\n---------------------------\n\nDeprecated.\nIt has no function.\n\n$proxy_connect_resolve_time\n---------------------------\n\nKeeps time spent on name resolving; the time is kept in seconds with millisecond resolution.\n\n* Value of \"\" means this module does not work on this request.\n* Value of \"-\" means name resolving failed.\n\n\n$proxy_connect_connect_time\n---------------------------\n\nKeeps time spent on establishing a connection with the upstream server; the time is kept in seconds with millisecond resolution.\n\n* Value of \"\" means this module does not work on this request.\n* Value of \"-\" means name resolving or connecting failed.\n\n\n$proxy_connect_first_byte_time\n---------------------------\n\nKeeps time to receive the first byte of data from the upstream server; the time is kept in seconds with millisecond resolution.\n\n* Value of \"\" means this module does not work on this request.\n* Value of \"-\" means name resolving, connecting or receving failed.\n\n\n$proxy_connect_response\n---------------------------\n\nGet or set the response of CONNECT request. \nThe default response of CONNECT request is \"HTTP/1.1 200 Connection Established\\r\\nProxy-agent: nginx\\r\\n\\r\\n\".\n\nNote that it is only used for CONNECT request, it cannot modify the data flow over CONNECT tunnel.\n\nFor example:\n\n```nginx\n\n# modify default Proxy-agent header\nset $proxy_connect_response \"HTTP/1.1 200\\r\\nProxy-agent: nginx/1.19\\r\\n\\r\\n\";\n```\n\nThe variable value does not support nginx variables. You can use lua-nginx-module to construct string that contains nginx variable. For example:\n\n```nginx\n\n# The CONNECT response may be \"HTTP/1.1 200\\r\\nProxy-agent: nginx/1.19.6\\r\\n\\r\\n\"\n\nrewrite_by_lua '\n ngx.var.proxy_connect_response =\n string.format(\"HTTP/1.1 200\\\\r\\\\nProxy-agent: nginx/%s\\\\r\\\\n\\\\r\\\\n\", ngx.var.nginx_version)\n';\n```\n\nAlso note that `set` or `rewrite_by_lua*` directive is run during the REWRITE phase, which is ahead of dns resolving phase. It cannot get right value of some variables, for example, `$connect_addr` value is `nil`. In such case, you should use [`proxy_connect_response` directive](#proxy_connect_response) instead.\n\n\nCompatibility\n=============\n\nNginx Compatibility\n-------------------\n\nThe latest module is compatible with the following versions of nginx:\n\n* 1.27.1 (mainline version of 1.27.x)\n* 1.26.2 (version of 1.26.x)\n* 1.24.0 (version of 1.24.x)\n* 1.22.1 (version of 1.22.x)\n* 1.20.2 (version of 1.20.x)\n* 1.18.0 (version of 1.18.x)\n* 1.16.1 (version of 1.16.x)\n* 1.14.2 (version of 1.14.x)\n* 1.12.1 (version of 1.12.x)\n* 1.10.3 (version of 1.10.x)\n* 1.8.1 (version of 1.8.x)\n* 1.6.3 (version of 1.6.x)\n* 1.4.7 (version of 1.4.x)\n\nOpenResty Compatibility\n-----------------------\n\nThe latest module is compatible with the following versions of OpenResty:\n\n* 1.25.3 (version: 1.25.3.1)\n* 1.21.4 (version: 1.21.4.3)\n* 1.19.3 (version: 1.19.3.1)\n* 1.17.8 (version: 1.17.8.2)\n* 1.15.8 (version: 1.15.8.1)\n* 1.13.6 (version: 1.13.6.2)\n\nTengine Compatibility\n---------------------\n\nThis module has been integrated into Tengine 2.3.0. \n\n* [Tengine ngx_http_proxy_connect_module documentation](http://tengine.taobao.org/document/proxy_connect.html)\n* [Merged pull request for Tengine 2.3.0](https://github.com/alibaba/tengine/pull/1210).\n\nFAQ\n===\n\nSee [FAQ page](https://github.com/chobits/ngx_http_proxy_connect_module/wiki/FAQ).\n\nKnown Issues\n============\n\n* In HTTP/2, the CONNECT method is not supported. It only supports the CONNECT method request in HTTP/1.x and HTTPS.\n\nSee Also\n========\n\n* [HTTP tunnel - Wikipedia](https://en.wikipedia.org/wiki/HTTP_tunnel)\n* [CONNECT method in HTTP/1.1](https://tools.ietf.org/html/rfc7231#section-4.3.6)\n* [CONNECT method in HTTP/2](https://httpwg.org/specs/rfc7540.html#CONNECT)\n\nAuthor\n======\n* [Peng Qi](https://github.com/jinglong): original author. He contributed this module to [Tengine](https://github.com/tengine) in this [pull request](https://github.com/alibaba/tengine/pull/335/). \n* [Xiaochen Wang](https://github.com/chobits): current maintainer. Rebuild this module for nginx.\n\nLICENSE\n=======\n\nSee [LICENSE](https://github.com/chobits/ngx_http_proxy_connect_module/blob/master/LICENSE) for details.\n","funding_links":[],"categories":["C","Third Party Modules"],"sub_categories":["C Modules"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchobits%2Fngx_http_proxy_connect_module","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchobits%2Fngx_http_proxy_connect_module","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchobits%2Fngx_http_proxy_connect_module/lists"}