Unable to restrict the domain name of forward proxy

[xxscloud5722]

0. Before Your ASK

1. Try to find an answer by reading a FAQ.

Ⅰ. Issue Description

server {

   listen 3002;
   server_name sms.tencentcloudapi.com;

   # dns resolver used by forward proxying
   resolver 8.8.8.8;

   # forward proxy for CONNECT request
   proxy_connect;
   proxy_connect_allow 443 80;
   proxy_connect_connect_timeout 10s;
   proxy_connect_read_timeout 10s;
   proxy_connect_send_timeout 10s;

   # forward proxy for non-CONNECT request
   location / {
       proxy_pass $scheme://sms.tencentcloudapi.com$request_uri;
       # proxy_set_header Host sms.tencentcloudapi.com;
   }
}

Ⅱ. Describe what happened

Ⅲ. Describe what you expected to happen

Proxies can be restricted normally

Ⅳ. How to reproduce it (as minimally and precisely as possible)

V. Anything else we need to know?

None

VI. Environment:

Nginx 1.19.2

[chobits]

Proxies can be restricted normally

It is as expected that proxied data cannot be restricted via domain name. Note that we have no method to parse the proxied data in CONNECT tunnel.

Many people have asked why or how to parse, hijack, and intercept proxy data. This is practically impossible to achieve.
Because the proxied data can theoretically be in any forml; in fact, the vast majority of data is ssl encrypted.

[chobits]

The only data you can parse is the CONNECT request before the CONNECT tunnel is established.

You can check this request as following( note that I dont test the script, just for reference.

set $found "";

if ($request_method = "CONNECT") {
  set $found "1"
}

if ($connect_host = "xx.com") {
   set $found "2";
}

if ($found = "12") {
   return 403;
}

[jingjingxyk]

restrict domain example

use SNI

# CONNECT HOST
map $host $tls_proxy_allow_url_flag {
       default 0;
       ~^([\w|-]+?)\.googlesource\.com$ 1;
       ~^([\w|-]+?)\.googleapis\.com$ 1;
       ~^chrome-infra-packages\.appspot\.com$ 1;
}

server {
    
    listen 443;
    server_name your-domain.com;
    ssl_certificate     /tls/wildcard.your-domain.com.fullchain.pem;
    ssl_certificate_key /tls/wildcard.your-domain.com.key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;
    
    ssl_protocols  TLSv1.3;
    ssl_prefer_server_ciphers off;
    # dns resolver used by forward proxying
    resolver  1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 8.8.8.8 8.8.4.4 ;
    
    # forward proxy for CONNECT request
    proxy_connect;
    proxy_connect_allow 443 80;
    proxy_connect_connect_timeout 10s;
    proxy_connect_read_timeout 10s;
    proxy_connect_send_timeout 10s;
    
    # forward proxy for non-CONNECT request
    if ( $tls_proxy_allow_url_flag != 1) {
        return 403 '{"status":"403","result":"no allow","message":"403"}';
    }
    
    location / {
        charset utf-8;
        default_type text/plain;
        return 200 'yeah 😁😄😜😋🤗😅😇🥰🥳';
    }

}

[chobits]

Think it resolved. Feel free to reopen it if you still have same issue.
Open a new issue if you have any other problem.