HTTP: support http forward proxying

Maxim Dounin mdounin at mdounin.ru
Tue Jul 14 14:27:03 UTC 2020


Hello!

On Tue, Jul 14, 2020 at 11:41:03AM +0800, 吕海涛 wrote:

> Hello, nginx,
> 
> This is my first try for adding the http forward proxying feature to nginx.
> 
> The http forward proxy protocol runs on plain http connection, which has big privacy issue.
> So web browsers like chrome and firefox has added support for forward proxy over https.
> 
> We use nginx as https server, and we also need the forward proxy feature over https on the same host.
> Nginx does not support forward proxying now. If we launch another security http proxy server, we
> have no choice but stop the nginx server, because both the proxy server and nginx will listen on the
> same 443 port.
> 
> So, the http forward proxying is need for nginx for us.
> 
> After investigate the nginx source, I found that almost all features needed for http forward proxying
> are there. If we implement this feature as a dedicate module, we have to duplicate too many code
> from the http_proxy_module and http_upstream_module. So I propose to make small modification to the
> exists code base.

[...]

> Here is the patch. Please make your comment. Thank you. 

Thank you for the patch.

Forward proxying is intentionally not supported by nginx.  In many 
places the code assumes trusted backends and either provides 
defaults which are not suitable for forward proxying (such as 
X-Accel-* headers being handled by default), or provides no 
mitigations for various possible malicious behaviour of upstream 
servers.

While using carefully configured nginx as a forward proxy might be 
possible in some cases, this is not something we are going to 
support.  Accordingly, no patches to support additional aspects of 
forward proxying will be accepted.  If you need a forward proxy, 
consider other products.

Thank you for understanding.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list