How to connect to Squid?

Is it possible to use the CONNECT method over a public endpoint? My squid forward proxy uses port 90.

I’ve tried: zrok share public localhost:90

The results are:
curl --proxy https://alphadigits.share.zrok.io/ Sharing HTTP Servers | zrok
curl: (56) Received HTTP code 400 from proxy after CONNECT

Hi @Rantanplan, welcome to the community and to zrok!

I don't know if the CONNECT is forwarded. I'll see if I can get someone to reply authoritatively though. Cheers

Honestly don't know. There is nothing in zrok itself that filters out HTTP verbs. But the instance running for zrok.io is behind AWS infrastructure that very well might be filtering out those requests?

Unfortunately the public shares from hosted zrok do not support the CONNECT method. They rely on AWS ALBs, which do not support it. I suspect it would work just fine over a private share though.

Yes. It works over the private share.

I have installed a self-hosted instance of zrok.

zrok share public localhost:90, zrok frontend, zrok connector, ziti-router, ziti-connector are all on the same host.

I confirm that the zrok proxy does not allow the CONNECT method.

curl  --proxy http://xxx.domain.name:port https://www.google.com 
curl: (56) Received HTTP code 404 from proxy after CONNECT

Have you tried with backend mode tcpTunnel?

It is strange

curl  --proxy http://xxx.domain.name:port https://www.google.com 
curl: (56) Received HTTP code 404 from proxy after CONNECT

zrok access public etc/frontend.yml says:

[2478.082]   ERROR zrok/endpoints.GetRefreshedService: service 'www' not found
[2478.082] WARNING zrok/endpoints/publicProxy.NewHTTP.shareHandler.func2: [IP]:35492 -> service 'www' not found

Thank you for demonstrating that zrok's public frontends do not support CONNECT because they assume the first part of the domain name in the HOST header (the least significant DNS label) represents a public share "token."

Your remaining options for a public CONNECT proxy with zrok include running a "personalized frontend" (zrok access private) on a public IP with, as @smilindave26 suggested, the tcpTunnel backend mode targeting your Squid forward proxy (Personalized Frontend | zrok).

Finally, if your clients can use SOCKS instead of CONNECT, there's also a zrok private share backend mode socks (no target address:port required) that will egress from the share backend.

List of private share modes: Private Shares | zrok

I have tested a private proxy.

On the share side zrok forwards all to Squid

zrok share private localhost:90 --backend-mode  proxy --headless

On the access side,

zrok access private rgvq2mq9ljss

we try the simplest possible, the GET method over http

curl  --proxy http://127.0.0.1:9191 http://www.google.com/relative_path_to

Now what we see in squid's log file:

1744920849.438      1 127.0.0.1 NONE_NONE/400 3734 GET /relative_path_to - HIER_NONE/- "-"

Somewhere on the route the host has disappeared from url. There is no hope that reverse and forward proxies will accept it.

Certainly private sock5 works fine. But it is a very restrictive scenario.

With working zrok's proxy we can forward http/https to haproxy/squid.
For the GET method over http we can do something like this on the haproxy side

	http-request set-var(txn.myhost) req.hdr(Host)
	http-request set-uri %[pathq]

But for https zrok's proxy does not allow CONNECT, moreover my ipad sends CONNECT without Host in the header :grinning_face: , because the Host is in the uri. Firefox will send Host header also.

Regarding the tcpTunnel. It works pretty well. Thank you! I have managed to connect a zrok's tcp tunnel to Squid and Danted.

There is a nasty error however.

Squid  zrok share private 127.0.0.1:8080 --backend-mode tcpTunnel
ERROR zrok/endpoints.TXer: read error '127.0.0.1:90' -> 'ziti-edge-router connId=2147483740, logical=ziti-sdk[router=tls:domian.name:3022]': read tcp 127.0.0.1:44650->127.0.0.1:90: use of closed network connection
ERROR zrok/endpoints.TXer: read error '127.0.0.1:90' -> 'ziti-edge-router connId=2147483709, logical=ziti-sdk[router=tls:domian.name:3022]': read tcp 127.0.0.1:38430->127.0.0.1:90: use of closed network connection

Danted zrok share private 127.0.0.1:8080 --backend-mode tcpTunnel
ERROR zrok/endpoints.TXer: read error '127.0.0.1:8080' -> 'ziti-edge-router connId=2147483800, logical=ziti-sdk[router=tls:domian.name:3022]': read tcp 127.0.0.1:60658->127.0.0.1:8080: use of closed network connection

The similar thing goes on the access side:

zrok access private 7t5wq3iarbgk --headless -v
ERROR zrok/endpoints.TXer: read error '127.0.0.1:57218' -> 'ziti-edge-router connId=51, logical=ziti-sdk[router=tls:domian.name:3022]': read tcp 127.0.0.1:9191->127.0.0.1:57218: use of closed network connection