32

While I was able to successfully configure nginx to proxy HTTP traffic (using this guide), all attempts to proxy HTTPS requests resulted in code 400 (Bad Request).

Nginx debug logs weren't helpful at all:

2013/06/05 14:38:33 [info] 74946#0: *589
    client sent invalid request while reading client request line, client: 127.0.0.1,
    server: google.com, request: "CONNECT google.com:443 HTTP/1.1"

What are these CONNECT requests? Is it even possible to proxy_pass HTTPS requests in nginx?

Update

Need to add that a proxy server is part of my web development workflow/toolkit. It's a great way to test/debug client-side JavaScript in production environment (using rewrites before the proxy).

Also nginx's config language is arguably a programming language in it's own right. It has variables!

Improve this question

5 Answers 5

Reset to default
21

Seems like nginx does not support forward proxy mode with SSL. You will need to use something like Squid instead. Here is a link with more explanation from nginx's author: HTTPS and nginx as Forward Proxy.

Improve this answer
2
  • 1
    Thanks! The thread you linked is 4 years old, but it also seems to me it's still impossible.
    – katspaugh
    Commented Jun 5, 2013 at 22:41
  • If you need a proxy for debugging, try mitmproxy.
    – Zorayr
    Commented Jun 6, 2013 at 2:31
9

Just to clarify: as I wrote on my blog's comment feed, nginx doesn't handle CONNECT method calls which are used to establish a raw TCP connection to a remote host through an HTTP proxy - which makes sense, considering that nginx is not supposed to work as a forward proxy, it just happens to work quite well for regular HTTP regardless.

Nginx just literally has no idea what to do with those method calls, that's why the error messages in the logs are rather useless. I've always found myself using privoxy for HTTPS: http://www.privoxy.org/ - it's insanely easy to set up, too. But it's still impossible to filter or mangle the content of HTTPS relays, because HTTPS connections are handled with a raw connection through the CONNECT method and the server has no idea what it's relaying.

Improve this answer
5

If you don't mind compiling nginx from source, you could install ngx_http_proxy_connect_module. The following worked for me in Debian 9 "Stretch" on a Raspberry Pi (after I added deb-src URLs to /etc/apt/sources.list and did apt-get update):

cd /tmp &&
apt-get source nginx &&
git clone https://github.com/chobits/ngx_http_proxy_connect_module &&
cd nginx-* &&
patch -p1 < ../ngx_http_proxy_connect_module/proxy_connect.patch &&
sudo apt-get install libpcre3-dev &&
./configure --add-module=/tmp/ngx_http_proxy_connect_module &&
make && sudo make install

Then edit /usr/local/nginx/conf/nginx.conf and make it look like this (I've included an example of domains you want to block, which works with both SSL and non-SSL proxying):

user www-data;
worker_processes auto;
events { }
http {
    server_names_hash_bucket_size 128;
    server {
        listen       8888;
        server_name  spam.example.com *.spam.example.com;
        server_name  spam2.example.com *.spam2.example.com;
        access_log off;
        return 404;
    }
    server {
        listen       8888;
        server_name ~.+;
        proxy_connect;
        proxy_max_temp_file_size 0;
        resolver 8.8.8.8;
        location / {
           proxy_pass http://$http_host;
           proxy_set_header Host $http_host;
        }
    }
}

Then run /usr/local/nginx/sbin/nginx. It will quite happily coexist with Debian's stock nginx package if you're also running a production webserver on port 80 and don't want to risk messing with that (but make sure to start the /usr/local version separately on boot); alternatively, with more configuration you could run both services from the nginx you've compiled. But if you do set your compiled nginx to run on a port that your firewall allows traffic to, beware you'd have to check manually for nginx security updates as the Debian package system will no longer do it for you.

Improve this answer
1
  • I had to tweak some of the commands but overall your answer worked for me. Many Thanks!
    – Robert Reiz
    Commented Nov 22, 2017 at 7:42
3

I just followed the instructions from Silas S. Brown and I was able to compile a Nginx binary which can deal with forwarding and SSL. I bundled everything together into a Docker image. The Dockerfile and the configuration is here on GitHub: https://github.com/reiz/nginx_proxy.

The Nginx Docker image in this Docker Hub repository can handle SSL connection and forwarding: https://hub.docker.com/r/reiz/nginx_proxy/.

Improve this answer
1
  • This was mighty helpful and saved me quite some time.
    – code rider
    Commented Apr 29, 2020 at 9:07
0

It took some time to my team to figure out how to make this work. Finally we achieved it by embedding the snippet below into nginx.conf:

stream {
  map_hash_bucket_size 128;
  map $ssl_preread_server_name $sphere {
    site-01.example.com site-01;
    site-02.example.com site-02;
  }

  upstream site-01 {
    server 192.168.0.1:443;
  }

  upstream site-02 {
    server 192.168.0.2:443;
  }

  server {
    listen 443;
    proxy_pass $sphere;
    ssl_preread on;
  }
}
Improve this answer
1
  • hey, can you elaborate what you did here?
    – ya24
    Commented Nov 1, 2023 at 16:55

You must log in to answer this question.