diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2025-05-20 15:33:20 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2025-05-25 22:16:04 +0400 |
| commit | d76e3d301644cfc6a2d914976b6098eb98b9e5b9 (patch) | |
| tree | b3aa4ef70b07d641e9c5b6d0693bb121b389ba7d /src/http/ngx_http_request.h | |
| parent | 6a134dfd4888fc3850d22294687cfb3940994c69 (diff) | |
| download | nginx-d76e3d301644cfc6a2d914976b6098eb98b9e5b9.tar.gz nginx-d76e3d301644cfc6a2d914976b6098eb98b9e5b9.tar.bz2 | |
HTTP CONNECT proxy.tunnel
HTTP CONNECT method is now supported in HTTP/1 connections. It's disabled
in all currently existing standard modules. A new variable $port is added
that contains the port passed by client in HTTP CONNECT. The $host
variable contains the host part.
A new module ngx_http_tunnel module is added which establishes a tunnel
to a backend. It supports the newly added HTTP CONNECT method and can be
used to set up an HTTP CONNECT proxy.
As recommended by RFC 9110, proxy target should be restricted to ensure
safe proxying:
: Proxies that support CONNECT SHOULD restrict its use to a limited set
: of known ports or a configurable list of safe request targets.
Example config:
server {
listen 8000;
resolver dns.example.com;
map $port $tun_port {
80 1;
443 1;
}
map $host $tun_host {
hostnames;
example.com 1;
*.example.org 1;
}
map $tun_port$tun_host $tun {
11 $host:$port;
}
location / {
tunnel_pass $tun;
}
}
Request:
$ curl -px 127.0.0.1:8000 http://example.com
Diffstat (limited to 'src/http/ngx_http_request.h')
| -rw-r--r-- | src/http/ngx_http_request.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h index 9407f46ae..c5c8f939f 100644 --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -238,6 +238,7 @@ typedef struct { ngx_str_t passwd; ngx_str_t server; + ngx_str_t port; off_t content_length_n; time_t keep_alive_n; @@ -600,6 +601,8 @@ struct ngx_http_request_s { u_char *schema_end; u_char *host_start; u_char *host_end; + u_char *port_start; + u_char *port_end; unsigned http_minor:16; unsigned http_major:16; |