When should one use CONNECT and GET HTTP methods at HTTP Proxy Server?

I'm building a WebClient library. Now I'm implementing a proxy feature, so I am making some research and I saw some code using the CONNECT method to request a URL.

But checking it within my web browser, it doesn't use the CONNECT method but calls the GET method instead.

So I'm confused. When I should use both methods?

A CONNECT request urges your proxy to establish an HTTP tunnel to the remote end-point. Usually is it used for SSL connections, though it can be used with HTTP as well (used for the purposes of proxy-chaining and tunneling)

CONNECT www.google.com:443 

The above line opens a connection from your proxy to www.google.com on port 443. After this, content that is sent by the client is forwarded by the proxy to www.google.com:443.

If a user tries to retrieve a page http://www.google.com, the proxy can send the exact same request and retrieve response for him, on his behalf.

With SSL(HTTPS), only the two remote end-points understand the requests, and the proxy cannot decipher them. Hence, all it does is open that tunnel using CONNECT, and lets the two end-points (webserver and client) talk to each other directly.

Proxy Chaining:

If you are chaining 2 proxy servers, this is the sequence of requests to be issued.

GET1 is the original GET request (HTTP URL)
CONNECT1 is the original CONNECT request (SSL/HTTPS URL or Another Proxy)

User Request ==CONNECT1==> (Your_Primary_Proxy ==CONNECT==> AnotherProxy-1 ... ==CONNECT==> AnotherProxy-n) ==GET1(IF is http)/CONNECT1(IF is https)==> Destination_URL

When should one use CONNECT and GET HTTP methods at HTTP , CONNECT deals with the request SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy. Requests using GET should only retrieve data and should have no other effect. (This is also true of some other HTTP methods.) request which does not contain the scheme (protocol) or authority ( server:port� Thanks @anttix, really I just make a test, I saw CONNECT method used when I request HTTPS URL. Now, I'm testing proxy chain, talking to DarkXphenomenon above, CONNECT method will help me do to a proxy chain using CONNECT because GET don't work. – Alexsandro Jul 28 '12 at 3:54

TL;DR a web client uses CONNECT only when it knows it talks to a proxy and the final URI begins with https://.

When a browser says:

CONNECT www.google.com:443 HTTP/1.1

it means:

Hi proxy, please open a raw TCP connection to google; any following bytes I write, you just repeat over that connection without any interpretation. Oh, and one more thing. Do that only if you talk to Google directly, but if you use another proxy yourself, instead you just tell them the same CONNECT.

Note how this says nothing about TLS (https). In fact CONNECT is orthogonal to TLS; you can have only one, you can have other, or you can have both of them.

That being said, the intent of CONNECT is to allow end-to-end encrypted TLS session, so the data is unreadable to a proxy (or a whole proxy chain). It works even if a proxy doesn't understand TLS at all, because CONNECT can be issued inside plain HTTP and requires from the proxy nothing more than copying raw bytes around.

But the connection to the first proxy can be TLS (https) although it means a double encryption of traffic between you and the first proxy.

Obviously, it makes no sense to CONNECT when talking directly to the final server. You just start talking TLS and then issue HTTP GET. The end servers normally disable CONNECT altogether.

To a proxy, CONNECT support adds security risks. Any data can be passed through CONNECT, even ssh hacking attempt to a server on 192.168.1.*, even SMTP sending spam. Outside world sees these attacks as regular TCP connections initiated by a proxy. They don't care what is the reason, they cannot check whether HTTP CONNECT is to blame. Hence it's up to proxies to secure themselves against misuse.

HTTP tunnel, Pipelining allows a client to make multiple requests without waiting for each Clients SHOULD NOT pipeline requests using non-idempotent methods or A proxy server MUST NOT establish a HTTP/1.1 persistent connection with an� The HTTP CONNECT method starts two-way communications with the requested resource. It can be used to open a tunnel. For example, the CONNECT method can be used to access websites that use SSL . The client asks an HTTP Proxy server to tunnel the TCP connection to the desired destination. The server then proceeds to make the connection on behalf

As a rule of thumb GET is used for plain HTTP and CONNECT for HTTPS

There are more details though so you probably want to read the relevant RFC-s

http://www.ietf.org/rfc/rfc2068.txt http://www.ietf.org/rfc/rfc2817.txt

What is the difference between "CONNECT" and "GET HTTPS , header and even the proxy cannot get them, then how does the proxy know where to send client's request? After that, the proxy should just blindly forward the packets back and forth We use Fiddler as a proxy server and browser to visit The browser sends a HTTP CONNECT request to the proxy: I have a use case where I would like to connect to a proxy server with HTTP, but the underlying request is actually a GET with HTTPS.I have been reading When should one use CONNECT and GET HTTP methods at HTTP Proxy Server?, but I think i need some clarification.

HTTP/1.1: Connections, Tunneling TCP based protocols through Web proxy servers It is inappropriate to use Internet-Drafts as reference material or to cite them other The advantage of extending the HTTP/1.x protocol in this manner (a new method) is that the proxy will make a connection to the destination server, and, if successful, send a � HTTP CONNECT method. The most common form of HTTP tunneling is the standardized HTTP CONNECT method. In this mechanism, the client asks an HTTP proxy server to forward the TCP connection to the desired destination. The server then proceeds to make the connection on behalf of the client.

The HTTP CONNECT tunnel, These HTTP requests use the CONNECT method to contact the port configured Because you cannot edit a predefined proxy action, you must clone the proxy� To use proxy server for the above advantages, you need to make proxy server settings on the client computers first of all. Suppose the proxy server address is "192.168.1.100", bellow are how to use proxy server for IE, Firefox, Thunderbird, MSN, Yahoo, Skhpe, CuteFTP by make proxy server settings in them. Use Proxy Server for IE

draft-luotonen-web-proxy-tunneling-00, method host uri referrer user_agent GET zeek.org / - <. can use the information in this log to understand the HTTP activity on the network and Web server because GET requests should not include “http” on the string. zeek -r http/proxy .pcap http_proxy_01.zeek A local server is acting as an open proxy: 192.168. 56.101. How to Connect to a Proxy Server in Windows 10. If you’re interested in proxy servers, you can set up a Windows 10 machine to connect to one. Before you start, however, you’ll need to find a proxy server Windows 10 can use so you can redirect your traffic to it. Either find a good proxy service, or set up a PC to act as a proxy server yourself.

Comments
  • So, are you told me CONNECT method limit to HTTPS( default port 443) requests?
  • No not at all. SSL could be running on a different port. Port 443 is the most commonly used port for SSL. CONNECT is used for proxying HTTPS requests compulsorily, and using it for HTTP is possible as well, but not necessary.
  • Great, now, if I want implement a chain proxy? Client -> PROXY -> Another PROXY -> URL. Should I user CONNECT or GET?
  • See updated answer. You would first issue a CONNECT to each proxy you are chaining to, sequentially. When you get a 200 Established response from each proxy you are chaining, finally send the original GET or CONNECT
  • So, We can say CONNECT is "Usually is it used for SSL connections and proxy chain". Nice! I will test it, thank's in advance.
  • Thanks for the detailed answer, it confirmed a few things for me.
  • Thanks @anttix, really I just make a test, I saw CONNECT method used when I request HTTPS URL. Now, I'm testing proxy chain, talking to DarkXphenomenon above, CONNECT method will help me do to a proxy chain using CONNECT because GET don't work.