Manually setting a proxy in a command works, but not setting it in proxychains
192.168.2.4 is a machine running a Squid Proxy on port 3128, and a web server on port 80 only accessible via this proxy.
If I run:
$ curl 192.168.2.4 --proxy 192.168.2.4:3128
It works perfectly and cURL outputs the contents of the homepage. Now, when I try to use ProxyChains:
$ cat proxychains.conf
strict_chain
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
http 192.168.2.4 3128
$ proxychains curl 192.168.2.4
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.2.4:3128-<><>-192.168.2.4:80-<--denied
curl: (7) Couldn't connect to server
It doesn't work. It seems to connect correctly to the Squid Proxy, but not to the end web server.
Any idea why this would be the case?
I have discovered with wireshark
that when talking to a proxy curl
uses GET
while proxychains
uses CONNECT
. The difference is explained here: What is the difference between “CONNECT” and “GET HTTPS”?
Another answer mentions proxy chaining with CONNECT
. I think GET
cannot be chained, that's why proxychains
uses CONNECT
.
Now, Wikipedia article about HTTP tunneling says the folowing about CONNECT
:
Not all HTTP Proxy Servers support this feature, and even those that do, may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL).
Indeed, the Squid Cache Wiki states (emphasis mine):
It is important to notice that the protocols passed through
CONNECT
are not limited to the ones Squid normally handles. Quite literally anything that uses a two-way TCP connection can be passed through aCONNECT
tunnel. This is why the Squid default ACLs start withdeny CONNECT !SSL_Ports
and why you must have a very good reason to place any type of allow rule above them.
I guess your squid.conf
includes a line like this:
http_access deny CONNECT !SSL_Ports
I have found an answer that says it's enough to comment this line out. Checked, it works. However, if you don't want to punch such a big hole in your proxy then try to add the following three lines to your squid.conf
:
acl myserver dst 192.168.2.4
acl myport port 80
http_access allow CONNECT myserver myport
# the original uncommented line must be below, like this
http_access deny CONNECT !SSL_Ports