Manually setting a proxy in a command works, but not setting it in proxychains

networking proxy

192.168.2.4 is a machine running a Squid Proxy on port 3128, and a web server on port 80 only accessible via this proxy.

If I run: 

$ curl 192.168.2.4 --proxy 192.168.2.4:3128

It works perfectly and cURL outputs the contents of the homepage. Now, when I try to use ProxyChains: 

$ cat proxychains.conf
strict_chain
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
http 192.168.2.4 3128

$ proxychains curl 192.168.2.4
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-192.168.2.4:3128-<><>-192.168.2.4:80-<--denied
curl: (7) Couldn't connect to server

It doesn't work. It seems to connect correctly to the Squid Proxy, but not to the end web server.

Any idea why this would be the case?


I have discovered with wireshark that when talking to a proxy curl uses GET while proxychains uses CONNECT. The difference is explained here: What is the difference between “CONNECT” and “GET HTTPS”?

Another answer mentions proxy chaining with CONNECT. I think GET cannot be chained, that's why proxychains uses CONNECT.

Now, Wikipedia article about HTTP tunneling says the folowing about CONNECT:

Not all HTTP Proxy Servers support this feature, and even those that do, may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL).

Indeed, the Squid Cache Wiki states (emphasis mine):

It is important to notice that the protocols passed through CONNECT are not limited to the ones Squid normally handles. Quite literally anything that uses a two-way TCP connection can be passed through a CONNECT tunnel. This is why the Squid default ACLs start with deny CONNECT !SSL_Ports and why you must have a very good reason to place any type of allow rule above them.

I guess your squid.conf includes a line like this:

http_access deny CONNECT !SSL_Ports

I have found an answer that says it's enough to comment this line out. Checked, it works. However, if you don't want to punch such a big hole in your proxy then try to add the following three lines to your squid.conf:

acl myserver dst 192.168.2.4
acl myport port 80
http_access allow CONNECT myserver myport
# the original uncommented line must be below, like this
http_access deny CONNECT !SSL_Ports

Related

20GB of Temporary Files, Only 50MB in Temp Folder
What is firmware and what happens when I update it?
Can I transfer Windows 10 Pro license to another computer? [duplicate]
Windows 10 Start Button Repeatedly Becomes Non-Responsive [duplicate]
How to remote desktop a computer over internet [duplicate]
How do i renable connecting a network drive using SMB1 since Windows 1709
How does Http server distinguish between computers behind a router
Wake on Lan doesn't work in Windows 8
How do I assign a number value to a non-numerical value in Excel
Taskbar > File Explorer > Context Menu failing me
OEM Windows 7 key with downloaded ISO?
Should I enable Firewall and AntiVirus on a VirtualPC VM? [duplicate]