How to connect to Squid?

Is it possible to use the CONNECT method over a public endpoint? My squid forward proxy uses port 90.

I’ve tried: zrok share public localhost:90

The results are:
curl --proxy https://alphadigits.share.zrok.io/ Sharing HTTP Servers | zrok
curl: (56) Received HTTP code 400 from proxy after CONNECT

Hi @Rantanplan, welcome to the community and to zrok!

I don't know if the CONNECT is forwarded. I'll see if I can get someone to reply authoritatively though. Cheers

Honestly don't know. There is nothing in zrok itself that filters out HTTP verbs. But the instance running for zrok.io is behind AWS infrastructure that very well might be filtering out those requests?

Unfortunately the public shares from hosted zrok do not support the CONNECT method. They rely on AWS ALBs, which do not support it. I suspect it would work just fine over a private share though.

Yes. It works over the private share.

I have installed a self-hosted instance of zrok.

zrok share public localhost:90, zrok frontend, zrok connector, ziti-router, ziti-connector are all on the same host.

I confirm that the zrok proxy does not allow the CONNECT method.

curl  --proxy http://xxx.domain.name:port https://www.google.com 
curl: (56) Received HTTP code 404 from proxy after CONNECT

Have you tried with backend mode tcpTunnel?

It is strange

curl  --proxy http://xxx.domain.name:port https://www.google.com 
curl: (56) Received HTTP code 404 from proxy after CONNECT

zrok access public etc/frontend.yml says:

[2478.082]   ERROR zrok/endpoints.GetRefreshedService: service 'www' not found
[2478.082] WARNING zrok/endpoints/publicProxy.NewHTTP.shareHandler.func2: [IP]:35492 -> service 'www' not found

Thank you for demonstrating that zrok's public frontends do not support CONNECT because they assume the first part of the domain name in the HOST header (the least significant DNS label) represents a public share "token."

Your remaining options for a public CONNECT proxy with zrok include running a "personalized frontend" (zrok access private) on a public IP with, as @smilindave26 suggested, the tcpTunnel backend mode targeting your Squid forward proxy (Personalized Frontend | zrok).

Finally, if your clients can use SOCKS instead of CONNECT, there's also a zrok private share backend mode socks (no target address:port required) that will egress from the share backend.

List of private share modes: Private Shares | zrok

I have tested a private proxy.

On the share side zrok forwards all to Squid

zrok share private localhost:90 --backend-mode  proxy --headless

On the access side,

zrok access private rgvq2mq9ljss

we try the simplest possible, the GET method over http

curl  --proxy http://127.0.0.1:9191 http://www.google.com/relative_path_to

Now what we see in squid's log file:

1744920849.438      1 127.0.0.1 NONE_NONE/400 3734 GET /relative_path_to - HIER_NONE/- "-"

Somewhere on the route the host has disappeared from url. There is no hope that reverse and forward proxies will accept it.

Certainly private sock5 works fine. But it is a very restrictive scenario.

With working zrok's proxy we can forward http/https to haproxy/squid.
For the GET method over http we can do something like this on the haproxy side

	http-request set-var(txn.myhost) req.hdr(Host)
	http-request set-uri %[pathq]

But for https zrok's proxy does not allow CONNECT, moreover my ipad sends CONNECT without Host in the header :grinning_face: , because the Host is in the uri. Firefox will send Host header also.

Regarding the tcpTunnel. It works pretty well. Thank you! I have managed to connect a zrok's tcp tunnel to Squid and Danted.

There is a nasty error however.

Squid  zrok share private 127.0.0.1:8080 --backend-mode tcpTunnel
ERROR zrok/endpoints.TXer: read error '127.0.0.1:90' -> 'ziti-edge-router connId=2147483740, logical=ziti-sdk[router=tls:domian.name:3022]': read tcp 127.0.0.1:44650->127.0.0.1:90: use of closed network connection
ERROR zrok/endpoints.TXer: read error '127.0.0.1:90' -> 'ziti-edge-router connId=2147483709, logical=ziti-sdk[router=tls:domian.name:3022]': read tcp 127.0.0.1:38430->127.0.0.1:90: use of closed network connection

Danted zrok share private 127.0.0.1:8080 --backend-mode tcpTunnel
ERROR zrok/endpoints.TXer: read error '127.0.0.1:8080' -> 'ziti-edge-router connId=2147483800, logical=ziti-sdk[router=tls:domian.name:3022]': read tcp 127.0.0.1:60658->127.0.0.1:8080: use of closed network connection

The similar thing goes on the access side:

zrok access private 7t5wq3iarbgk --headless -v
ERROR zrok/endpoints.TXer: read error '127.0.0.1:57218' -> 'ziti-edge-router connId=51, logical=ziti-sdk[router=tls:domian.name:3022]': read tcp 127.0.0.1:9191->127.0.0.1:57218: use of closed network connection

Recap: You confirmed that CONNECT does not work with a proxy backend, regardless of whether the frontend is zrok access public or zrok access private. @smilindave26 recommended backend mode tcpTunnel because your goal is to pass through arbitrary bytes via TCP.

Thanks for sharing the backend and frontend messages about "use of closed network connection." Can you clarify whether the TCP tunnel is functioning or if a malfunction is co-occurring with these messages?

If Squid and Danted are not functioning via their respective TCP tunnels, then I'll gather additional details:

Is Squid at 127.0.0.1:90 a CONNECT server?
Is Danted at 127.0.0.1:8080 a SOCKS server?

This message from the TCP tunnel backend seems to indicate a new request was received via the frontend for a connection (socket) that was previously closed by the CONNECT or SOCKS server.

I tested with Squid and Danted. Two different programs produce exactly the same ERROR message.

The both, Squid and Danted, work via the TCP tunnel.

Squid accepts CONNECT at port 90
Danted accepts SOCK5 at port 8080

I have not noticed any malfunction - the internet browsing goes smoothly as usual. However the system's log will be huge.

zrok share private 127.0.0.1:8080 --backend-mode tcpTunnel --headless --verbose
[ 509.605]   DEBUG zrok/endpoints.TXer: exited 'ziti-edge-router connId=2147483697, logical=ziti-sdk[router=tls:mydomain.name:port]' -> '127.0.0.1:8080'
[ 509.605]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).Accept: {chSeq=[652] edgeSeq=[10] connId=[2147483697] type=[EdgeStateClosedType]} received 12 bytes (msg type: 60785)
[ 509.605]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).Accept: {connId=[2147483691] type=[EdgeStateClosedType] chSeq=[653] edgeSeq=[12]} received 12 bytes (msg type: 60785)
[ 509.605]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).Read: {connId=[2147483691] marker=[6agaWgbo]} received ConnState_CLOSED message, closing connection
[ 509.605]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).close: {connId=[2147483691] marker=[6agaWgbo]} close: begin
[ 509.605]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).close: {marker=[6agaWgbo] connId=[2147483691]} close: end
[ 509.605]   ERROR zrok/endpoints.TXer: read error '127.0.0.1:8080' -> 'ziti-edge-router connId=2147483691, logical=ziti-sdk[router=tls:mydomain.name:port]': read tcp 127.0.0.1:40702->127.0.0.1:8080: use of closed network connection
[ 509.605]   DEBUG zrok/endpoints.TXer: exited '127.0.0.1:8080' -> 'ziti-edge-router connId=2147483691, logical=ziti-sdk[router=tls:mydomain.name:port]'
[ 509.605]   DEBUG zrok/endpoints.TXer: exited 'ziti-edge-router connId=2147483691, logical=ziti-sdk[router=tls:mydomain.name:port]' -> '127.0.0.1:8080'
[ 509.605]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).Accept: {connId=[2147483694] type=[EdgeStateClosedType] chSeq=[654] edgeSeq=[11]} received 12 bytes (msg type: 60785)
[ 509.606]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).Read: {connId=[2147483694] marker=[MwX1QKTM]} received ConnState_CLOSED message, closing connection
[ 509.606]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).close: {connId=[2147483694] marker=[MwX1QKTM]} close: begin
[ 509.606]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).close: {connId=[2147483694] marker=[MwX1QKTM]} close: end
[ 509.606]   ERROR zrok/endpoints.TXer: read error '127.0.0.1:8080' -> 'ziti-edge-router connId=2147483694, logical=ziti-sdk[router=tls:mydomain.name:port]': read tcp 127.0.0.1:44956->127.0.0.1:8080: use of closed network connection
[ 509.606]   DEBUG zrok/endpoints.TXer: exited '127.0.0.1:8080' -> 'ziti-edge-router connId=2147483694, logical=ziti-sdk[router=tls:mydomain.name:port]'
[ 509.606]   DEBUG zrok/endpoints.TXer: exited 'ziti-edge-router connId=2147483694, logical=ziti-sdk[router=tls:mydomain.name:port]' -> '127.0.0.1:8080'
[ 509.606]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).Accept: {connId=[2147483693] type=[EdgeStateClosedType] chSeq=[655] edgeSeq=[11]} received 12 bytes (msg type: 60785)
[ 509.606]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).Read: {connId=[2147483693] marker=[QJlmGF6I]} received ConnState_CLOSED message, closing connection
[ 509.606]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).close: {connId=[2147483693] marker=[QJlmGF6I]} close: begin
[ 509.606]   DEBUG sdk-golang/ziti/edge/network.(*edgeConn).close: {connId=[2147483693] marker=[QJlmGF6I]} close: end
[ 509.606]   ERROR zrok/endpoints.TXer: read error '127.0.0.1:8080' -> 'ziti-edge-router connId=2147483693, logical=ziti-sdk[router=tls:mydomain.name:port]': read tcp 127.0.0.1:59882->127.0.0.1:8080: use of closed network connection

I'm glad to hear it's working now with a private TCP tunnel! I will keep an eye out for this "use of closed network connection" message in hopes of understanding whether it could represent a problem and if it's unique to TCP tunnels or CONNECT proxies.