14

In the cURL documentation, there is an option called CURLOPT_HTTPPROXYTUNNEL which is defined to create a tunnel via the proxy when enabled.

However, I have no idea what the tunnel is and what does it do. What difference will it make if I don't use a tunnel like this?

curl_setopt($session, CURLOPT_HTTPPROXYTUNNEL, 1)

UPDATE:

What I got is that the tunnel is referring to an HTTP CONNECT METHOD and here is what I understand it does:

An HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to an HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows access only to a whitelist of specific authorized servers.

So, the question is, what is the difference between connecting to a proxy with and without CONNECT method?

David Refoua
  • 3,476
  • 3
  • 31
  • 55
Atef
  • 593
  • 1
  • 8
  • 18
  • http://stackoverflow.com/questions/4802816/curl-through-proxy-returns-no-content – 001 Sep 05 '12 at 20:10
  • 2
    ok what I got now is that it calls a HTTP CONNECT METHOD and here what HTTP CONNECT does :Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to a HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows access only to a whitelist of specific authorized servers. so the question is what is the difference without it – Atef Sep 05 '12 at 21:19
  • I should mention that when using proxy server such as **Squid3**, in the config file you can restrict connect method to SSL (encrypted) ports. This is the default out-of-the-box configuration that many servers use. However, if you modify the Squid configuration to _allow_ `CONNECT` on unencrypted ports (such as 80), you can also use `CONNECT` for `http://` urls just fine. – David Refoua May 17 '18 at 20:01

1 Answers1

24

Without CURLOPT_HTTPPROXYTUNNEL

Without CURLOPT_HTTPPROXYTUNNEL : You just use the proxy address/port as a destination of your HTTP request. The proxy will read the HTTP headers of your query, forward your request to the destination (with your HTTP headers) and then write the response to you.

Example steps :

  1. HTTP GET /index.html sent to 1.1.1.1 (proxy)
  2. 1.1.1.1 receive request and parse header for getting the final destination of your HTTP request.
  3. 1.1.1.1 forward your query and headers to www.site.com (destination in request headers).
  4. 1.1.1.1 write back to you the response receive from www.site.com

With CURLOPT_HTTPPROXYTUNNEL

With CURLOPT_HTTPPROXYTUNNEL : You ask the proxy to open a direct binary connection (like HTTPS, called a TCP Tunnel) directly to your destination by doing a CONNECT HTTP request. When the tunnel is ok, the proxy write you back a HTTP/1.1 200 Connection established. When it received your browser start to query the destination directly : The proxy does not parse HTTP headers and theoretically does not read tunnel datas, it just forward it, thats why it is called a tunnel !

Example steps :

  1. HTTP CONNECT sent to 1.1.1.1
  2. 1.1.1.1 receive HTTP CONNECT and get the ip/port of your final destination (header field of HTTP CONNECT).
  3. 1.1.1.1 open a TCP Socket by doing a TCP handshake to your destination 2.22.63.73:80 (ip/port of www.site.com).
  4. 1.1.1.1 Make a tunnel by piping your TCP Socket to the TCP Socket opened to 2.22.63.73:80 and then write you back HTTP/1.1 200 Connection established witch means that your client can now make your query throw the TCP Tunnel (TCP datas received will be transmited directly to server and vice versa).
Ifnot
  • 4,914
  • 4
  • 33
  • 47
  • 7
    To avoid confusion note that a proxy **CAN** read tunneled data just fine unless the tunnel is encrypted (as is the case for https:// requests). Nothing stops the proxy from examining everything you send and receive. Only end-to-end encryption keeps your data safe. –  Jul 23 '14 at 21:26