I am using openresty as reverse proxy. Openresty uses Nginx as backend server. I have configured openresty with luajit so that I can use lua inside my proxy configuration in order to perform some business logic.
I want to forward all requests to the original URL, using the original protocol, i.e. using HTTP/HTTPS.
My proxy.conf is under /usr/local/openresty/nginx/conf/sites-available/proxy.conf and it is as follows:
server {
error_log /usr/local/openresty/nginx/logs/error.log debug;
error_log /usr/local/openresty/nginx/logs/error.log notice;
error_log /usr/local/openresty/nginx/logs/error.log info;
access_log /usr/local/openresty/nginx/logs/access.log;
listen 1080 ssl default_server;
listen 443 ssl default_server;
server_name localhost;
ssl_certificate /usr/local/openresty/nginx/ssl/localhost.crt;
ssl_certificate_key /usr/local/openresty/nginx/ssl/localhost.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
location / {
proxy_read_timeout 300;
proxy_ssl_verify off;
#USING google as dns for testing pourposes.
resolver 8.8.8.8;
proxy_pass https://$host$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Required for WebSocket support (if needed)
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
}
}
my SSL certificates are self-signed, generated using openssl, for my local host.
I am testing it in the following way:
curl -v -I -x https://localhost:1080 https://www.google.com
And I am getting the following error:
* Trying 127.0.0.1:1080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1080 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Proxy certificate:
* subject: CN=localhost
* start date: Sep 5 09:31:24 2023 GMT
* expire date: Oct 5 09:31:24 2023 GMT
* subjectAltName: host "localhost" matched cert's "localhost"
* issuer: CN=localhost
* SSL certificate verify ok.
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< Server: openresty/1.21.4.2
Server: openresty/1.21.4.2
< Date: Thu, 07 Sep 2023 09:58:22 GMT
Date: Thu, 07 Sep 2023 09:58:22 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 163
Content-Length: 163
< Connection: close
Connection: close
<
* Received HTTP code 400 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 400 from proxy after CONNECT
At my error.log I am getting:
*1 recv() failed (104: Connection reset by peer) while reading client request line, client: 127.0.0.1, server: localhost, request: "CONNECT www.google.com:443 HTTP/1.1"
I dont think that this is related to my self-signed certificates, but I don't know.
Any hint why I cannot forward my original requests?
Many thanks in advance