tinyproxy unable to forward Connect methods

http https proxy http-proxy transparentproxy
Hansen Qian picture Hansen Qian · Mar 25, 2016 · Viewed 7.1k times · Source

I'm trying to set up a transparent proxy for all types of frames (HTTP, HTTPS), I'm using tinyproxy to do so. I've already set up my router to redirect (using NAT) all incoming and outgoing frames to tinyproxy (which is listening on port 8888).

I tried accessing a HTTPS website (https://www.google.com/), but I get a SSL connection error. Looking through the tinyproxy logs, I see the following:

CONNECT   Mar 24 23:34:27 [22533]: Connect (file descriptor 11): 128.112.94.38 [128.112.94.38]
CONNECT   Mar 24 23:34:27 [22533]: Request (file descriptor 11): 
WARNING   Mar 24 23:34:27 [22533]: Could not retrieve all the headers from the client
INFO      Mar 24 23:34:27 [22533]: Read request entity of 103 bytes

The tinyproxy documentation says that as long as I set the following lines in the tinyproxy.conf file, forwarding of Connect frames should work transparently:

# ConnectPort: This is a list of ports allowed by tinyproxy when the
# CONNECT method is used.  To disable the CONNECT method altogether, set
# the value to 0.  If no ConnectPort line is found, all ports are
# allowed (which is not very secure.)
#
# The following two ports are used by SSL.
ConnectPort 443
ConnectPort 563

I've also tried removing all ConnectPort lines to see if that works (it doesn't). Does anyone know why I'm unable to forward HTTPS traffic transparently?

Answer

mr.spuratic picture mr.spuratic · May 17, 2017

You're not using the term "frame" (L2) in the normal networking sense, TCP or HTTP/HTTPS connections (L6/7) are better terms to use here.

tinyproxy will deal with either HTTP proxy-request connections, of which CONNECT is one type, or non-proxy HTTP requests when in transparent mode (which you can confirm is enabled in the list of features shown with tinyproxy -h).

When the browser is configured to use a proxy, it amends its outbound requests accordingly. In transparent mode the browser is unaware of the proxy (and must not be configured with one). The ConnectPort option lists the ports the clients are allow to CONNECT to (to prevent abuse) in normal proxy mode.

If you are using tinyproxy in transparent mode for HTTPS, there is no CONNECT, and more importantly there are no headers (which is why you see that error) and no URL. Normally host/port parts can be deduced/inferred from the destination IP, port and SNI extension -- since tinyproxy relies on some external firewall to redirect (change destination IP) connections to it, it doesn't have complete information for the request.

At this time tinyproxy can only be used as a transparent HTTP proxy, something the documentation is a little vague about. Without HTTPS inspection (i.e. decryption of TLS connections) to access the client request it can't even be a simple TCP connection forwarder. Other proxies like squid do support TLS inspection (sslbump).

Related questions

How do we control web page caching, across all browsers?

Our investigations have shown us that not all browsers respect the HTTP cache directives in a uniform manner. For security reasons we do not want certain pages in our application to be cached, ever, by the web browser. This must …

Read More
Android 8: Cleartext HTTP traffic not permitted

I had reports from users with Android 8 that my app (that uses back-end feed) does not show content. After investigation I found following Exception happening on Android 8: 08-29 12:03:11.246 11285-11285/ E/: [12:03:11.245, main]: Exception: IOException java.io.IOException: Cleartext HTTP traffic to * …

Read More
How to redirect all HTTP requests to HTTPS

I'm trying to redirect all insecure HTTP requests on my site (e.g. http://www.example.com) to HTTPS (https://www.example.com). I'm using PHP btw. Can I do this in .htaccess?

Read More