nginx returns 400 bad request when receiving CONNECT request

[ximeng890726]

Hi,

After installing dynamic modules, nginx can start without error. however it does process any proxy connect request. (http works fine, https connect does not work and 400 BAD REQUEST returned)

I am running nginx plus on 1.17.6 (i make the module .so with OSS version and put it into plus module folder). Is it not compatible with latest nginx version? Is there a way I can troubleshoot？ Thank you.

[root@localhost conf.d]# nginx -v
nginx version: nginx/1.17.6 (nginx-plus-r20)

[root@localhost conf.d]# cat ep.conf
server {
listen 8080;

 # dns resolver used by forward proxying
 resolver                       8.8.8.8;

 # forward proxy for CONNECT request
 proxy_connect ;
 proxy_connect_allow            443 563;
 proxy_connect_connect_timeout  10s;
 proxy_connect_read_timeout     10s;
 proxy_connect_send_timeout     10s;

 # forward proxy for non-CONNECT request
 location / {
     proxy_pass http://$host;
     proxy_set_header Host $host;
 }

}

[root@localhost conf.d]# tail /var/log/nginx/access.log
10.1.10.153 - - [31/Dec/2019:15:24:16 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:41 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:42 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:42 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:42 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:43 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:43 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:43 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:44 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"
10.1.10.153 - - [31/Dec/2019:15:26:44 +0800] "CONNECT github:443 HTTP/1.1" 400 157 "-" "-" "-"

[root@localhost ~]# curl https://github -v --proxy 10.1.10.152:8080

• About to connect() to proxy 10.1.10.152 port 8080 (#0)
• Trying 10.1.10.152...
• Connected to 10.1.10.152 (10.1.10.152) port 8080 (#0)
• Establish HTTP proxy tunnel to github:443

CONNECT github:443 HTTP/1.1
Host: github:443
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 400 Bad Request
< Server: nginx/1.17.6
< Date: Tue, 31 Dec 2019 07:24:16 GMT
< Content-Type: text/html
< Content-Length: 157
< Connection: close
<

• Received HTTP code 400 from proxy after CONNECT
• Connection #0 to host 10.1.10.152 left intact
  curl: (56) Received HTTP code 400 from proxy after CONNECT

[xbj110825]

try https://github.com
do not use https://github

[ximeng890726]

thanks for the response! I tried https://github.com and got same error. The same error i will see if this module is not installed at all.

[myf5]

i think this need patch the http core module which instructed by the installation steps.

[asvsfs]

Same error here

[hala21]

1.18.0 also same error

[ghost]

I am having the same issue, but not with dynamic module.
I've built it with the patch and the installation steps with nginx 1.14 and i still receive the same error.
Http works, getting 400 error for https.

[songdongsheng]

Debian 11 https proxy failed too:

nginx -V

nginx version: nginx/1.18.0
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/root/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_geoip_module=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-headers-more-filter --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-auth-pam --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-cache-purge --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-dav-ext --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-ndk --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-echo --add-dynamic-module=/root/ngx_http_proxy_connect_module --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-fancyindex --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-geoip2 --add-dynamic-module=/root/nginx-1.18.0/debian/modules/nchan --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-lua --add-dynamic-module=/root/nginx-1.18.0/debian/modules/rtmp --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-uploadprogress --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-upstream-fair --add-dynamic-module=/root/nginx-1.18.0/debian/modules/http-subs-filter

• Establish HTTP proxy tunnel to google.com:80

CONNECT google.com:80 HTTP/1.1
Host: google.com:80
User-Agent: curl/7.72.0
Proxy-Connection: Keep-Alive

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

• old SSL session ID is stale, removing
  < HTTP/1.1 400 Bad Request
  HTTP/1.1 400 Bad Request
  < Server: nginx/1.18.0
  Server: nginx/1.18.0
  < Date: Sat, 05 Sep 2020 06:21:48 GMT
  Date: Sat, 05 Sep 2020 06:21:48 GMT
  < Content-Type: text/html; charset=utf-8
  Content-Type: text/html; charset=utf-8
  < Content-Length: 157
  Content-Length: 157
  < Connection: close
  Connection: close
  <

• Received HTTP code 400 from proxy after CONNECT

• CONNECT phase completed!

• Closing connection 0
  curl: (56) Received HTTP code 400 from proxy after CONNECT

curl --version

curl 7.72.0 (x86_64-pc-linux-gnu) libcurl/7.72.0 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.8.0 nghttp2/1.41.0 librtmp/2.3
Release-Date: 2020-08-19
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

[hala21]

use nginx 1.16.1 work normal.
i just do some test,i think 1.16.1 enough for me.

[mamunsyuhada]

i just restarted my pc, and it worked

[prophetw]

same error 400 in version 1.19.9
and works in version 1.16.1

version

nginx -V
nginx version: nginx/1.19.9
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
built with OpenSSL 1.1.1f  31 Mar 2020
TLS SNI support enabled
configure arguments: --with-debug --with-http_stub_status_module --with-http_ssl_module --add-module=ngx_http_proxy_connect_module

debug log

116.236.192.106 - - [01/Apr/2021:13:03:59 +0800] "CONNECT www.baidu.com:443 HTTP/1.1" 400 157 "-" "-"

2021/04/01 13:03:59 [debug] 5971#0: accept on 0.0.0.0:7777, ready: 0
2021/04/01 13:03:59 [debug] 5971#0: posix_memalign: 00687630:256 @16
2021/04/01 13:03:59 [debug] 5971#0: *8 accept: 116.236.192.106:61686 fd:3
2021/04/01 13:03:59 [debug] 5971#0: *8 event timer add: 3: 60000:993243
2021/04/01 13:03:59 [debug] 5971#0: *8 reusable connection: 1
2021/04/01 13:03:59 [debug] 5971#0: *8 epoll add event: fd:3 op:1 ev:80002001
2021/04/01 13:03:59 [debug] 5971#0: *8 http wait request handler
2021/04/01 13:03:59 [debug] 5971#0: *8 malloc: 00687BF0:1024
2021/04/01 13:03:59 [debug] 5971#0: *8 recv: eof:0, avail:-1
2021/04/01 13:03:59 [debug] 5971#0: *8 recv: fd:3 118 of 1024
2021/04/01 13:03:59 [debug] 5971#0: *8 reusable connection: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 posix_memalign: 006A5F20:4096 @16
2021/04/01 13:03:59 [debug] 5971#0: *8 http process request line
2021/04/01 13:03:59 [info] 5971#0: *8 client sent invalid request while reading client request line, client: 116.236.192.106, server: , request: "CONNECT www.baidu.com:443 HTTP/1.1"
2021/04/01 13:03:59 [debug] 5971#0: *8 http finalize request: 400, "?" a:1, c:1
2021/04/01 13:03:59 [debug] 5971#0: *8 event timer del: 3: 993243
2021/04/01 13:03:59 [debug] 5971#0: *8 http special response: 400, "?"
2021/04/01 13:03:59 [debug] 5971#0: *8 http set discard body
2021/04/01 13:03:59 [debug] 5971#0: *8 HTTP/1.1 400 Bad Request
Server: nginx/1.19.9
Date: Thu, 01 Apr 2021 05:03:59 GMT
Content-Type: text/html
Content-Length: 157
Connection: close

2021/04/01 13:03:59 [debug] 5971#0: *8 write new buf t:1 f:0 006A6630, pos 006A6630, size: 152 file: 0, size: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 http write filter: l:0 f:0 s:152
2021/04/01 13:03:59 [debug] 5971#0: *8 http output filter "?"
2021/04/01 13:03:59 [debug] 5971#0: *8 http copy filter: "?"
2021/04/01 13:03:59 [debug] 5971#0: *8 http postpone filter "?" 006A67B0
2021/04/01 13:03:59 [debug] 5971#0: *8 write old buf t:1 f:0 006A6630, pos 006A6630, size: 152 file: 0, size: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 write new buf t:0 f:0 00000000, pos 004F7EE4, size: 104 file: 0, size: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 write new buf t:0 f:0 00000000, pos 004F6E90, size: 53 file: 0, size: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 http write filter: l:1 f:0 s:309
2021/04/01 13:03:59 [debug] 5971#0: *8 http write filter limit 0
2021/04/01 13:03:59 [debug] 5971#0: *8 writev: 309 of 309
2021/04/01 13:03:59 [debug] 5971#0: *8 http write filter 00000000
2021/04/01 13:03:59 [debug] 5971#0: *8 http copy filter: 0 "?"
2021/04/01 13:03:59 [debug] 5971#0: *8 http finalize request: 0, "?" a:1, c:1
2021/04/01 13:03:59 [debug] 5971#0: *8 reusable connection: 1
2021/04/01 13:03:59 [debug] 5971#0: *8 event timer add: 3: 5000:938243
2021/04/01 13:03:59 [debug] 5971#0: *8 http lingering close handler
2021/04/01 13:03:59 [debug] 5971#0: *8 recv: eof:1, avail:-1
2021/04/01 13:03:59 [debug] 5971#0: *8 recv: fd:3 -1 of 4096
2021/04/01 13:03:59 [info] 5971#0: *8 recv() failed (104: Connection reset by peer) while reading client request line, client: 116.236.192.106, server: , request: "CONNECT www.baidu.com:443 HTTP/1.1"
2021/04/01 13:03:59 [debug] 5971#0: *8 lingering read: -1
2021/04/01 13:03:59 [debug] 5971#0: *8 http request count:1 blk:0
2021/04/01 13:03:59 [debug] 5971#0: *8 http close request
2021/04/01 13:03:59 [debug] 5971#0: *8 http log handler
2021/04/01 13:03:59 [debug] 5971#0: *8 free: 006A5F20, unused: 1721
2021/04/01 13:03:59 [debug] 5971#0: *8 close http connection: 3
2021/04/01 13:03:59 [debug] 5971#0: *8 event timer del: 3: 938243
2021/04/01 13:03:59 [debug] 5971#0: *8 reusable connection: 0
2021/04/01 13:03:59 [debug] 5971#0: *8 free: 00687BF0
2021/04/01 13:03:59 [debug] 5971#0: *8 free: 00687630, unused: 8

test @hala21 nginx/1.16.1

 nginx -V
nginx version: nginx/1.16.1
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
configure arguments: --add-module=../ngx_http_proxy_connect_module

it works

[ndtreviv]

I had the same problems, I was using a multi-build docker container.

In the end this worked:

FROM nginx:1.16.1-alpine

ENV NGINX_VERSION 1.16.1

# Download sources
# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
RUN apk update && apk upgrade && \
    apk add --no-cache --virtual .build-deps \
    gcc \
    libc-dev \
    make \
    openssl-dev \
    pcre-dev \
    zlib-dev \
    linux-headers \
    curl \
    gnupg \
    libxslt-dev \
    gd-dev \
    geoip-dev \
    patch \
    bash \
    git \
    openssh

RUN wget "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O nginx.tar.gz
RUN git clone "https://github.com/chobits/ngx_http_proxy_connect_module"

RUN tar -zxC / -f nginx.tar.gz && \
    cd /nginx-$NGINX_VERSION && \
    patch -p1 < /ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_101504.patch && \
    ./configure \
    --prefix=/etc/nginx \
    --sbin-path=/usr/sbin/nginx \
    --modules-path=/usr/lib/nginx/modules \
    --conf-path=/etc/nginx/nginx.conf \
    --error-log-path=/var/log/nginx/error.log \
    --http-log-path=/var/log/nginx/access.log \
    --pid-path=/var/run/nginx.pid \
    --lock-path=/var/run/nginx.lock \
    --http-client-body-temp-path=/var/cache/nginx/client_temp \
    --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
    --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
    --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
    --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
    --with-perl_modules_path=/usr/lib/perl5/vendor_perl \
    --user=nginx \
    --group=nginx \
    --with-compat \
    --with-file-aio \
    --with-threads \
    --with-http_addition_module \
    --with-http_auth_request_module \
    --with-http_dav_module \
    --with-http_flv_module \
    --with-http_gunzip_module \
    --with-http_gzip_static_module \
    --with-http_mp4_module \
    --with-http_random_index_module \
    --with-http_realip_module \
    --with-http_secure_link_module \
    --with-http_slice_module \
    --with-http_ssl_module \
    --with-http_stub_status_module \
    --with-http_sub_module \
    --with-http_v2_module \
    --with-mail \
    --with-mail_ssl_module \
    --with-stream \
    --with-stream_realip_module \
    --with-stream_ssl_module \
    --with-stream_ssl_preread_module \
    --add-dynamic-module=/ngx_http_proxy_connect_module && \
    make && make install

/usr/lib/nginx/modules/ngx_http_proxy_connect_module.so

COPY nginx.conf /etc/nginx/nginx.conf
COPY default.conf /etc/nginx/conf.d/default.conf
COPY index.html /usr/share/nginx/html/index.html

In the multi-build docker container, the --add-dynamic-module switch was not on the final nginx install config parameters (you can see from running docker exec nginx nginx -V), and even though I was calling load_module in the nginx.conf, it still wasn't invoking it.

When I switched to a single build like the one above it worked.

UPDATE: This way also works with nginx v1.19.3, just change the patch to be proxy_connect_rewrite_1018.patch

[YuriyTigiev]

Could anyone share an example of docker-composer.yml for using nginx with this module ? And could add this instructions into documentation (installation part)

[hydev1126]

Same error with NginxPlus, have you fix it ?

[chobits]

Hi all, the issue 400 bad request replied from your nginx means that this module is not installed into your nginx binary.

If you compile a standalone nginx with right patch( to nginx source core) and module source, then you use this standalone nginx binary to start. It will work as expected.

If you already have a nginx binary in your server without this module installed, although you compiled this module as dynamic module(.so), it will not work with original nginx binary, because the original nginx binary without patch cannot handle CONNECT request ( then it will reply 400 bad request). The right way is as following:

1. patch nginx source core with right patch(in this module patch/ directory) 
2. recompile nginx source core with this module (static compile --add-module or dynamic compile --add-dynamic-module is ok)
3. stop your old nginx (make sure master and workers stopped)
4. replace old nginx binary with new nginx binary (if you compile this module dynamically, also copy module .so file to right .so directory)
5. edit nginx configuration file with proxy_module directive
6. start nginx with new nginx binary.

---

I wanted to answer this question at first, but when I answered other similar questions, I thought I had answered this question then closed this page :(

[chobits]

Issue locked and closed. If you still have the similar problem, please file a new issue.