Skip to content

Fix: Connectivity check fails with Squid/Strict Proxies (Force CONNECT on port 80) #2524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Nixxeee wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix: Connectivity check fails with Squid/Strict Proxies (Force CONNECT on port 80) #2524

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions emhttp/plugins/dynamix/include/OutgoingProxyLib.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,12 +58,17 @@ function proxy_online($proxyUrl) {
$rc = true;

if ($proxyUrl) {
/*Define the check URL */
$checkurl = "http://www.msftncsi.com/ncsi.txt";
/* Initialize cURL session. */
$ch = curl_init("http://www.msftncsi.com/ncsi.txt");

$ch = curl_init($checkurl);

/* Determine if tunneling is needed (HTTPS only). */
$isHttps = (parse_url($checkurl, PHP_URL_SCHEME) === 'https');

/* Set cURL options. */
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 3); /* Timeout in seconds. */
curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, true);
curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, $isHttps); /* Enable HTTP tunneling only for HTTPS to prevent CONNECT method on port 80. */
Comment on lines +61 to +71
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

PHP CURLOPT_HTTPPROXYTUNNEL behavior CONNECT method HTTP HTTPS

💡 Result:

Short answer

  • CURLOPT_HTTPPROXYTUNNEL = 0 (default): libcurl sends normal HTTP proxy requests (for HTTP URLs it sends a request with an absolute-URI; for HTTPS URLs it still uses CONNECT automatically).
  • CURLOPT_HTTPPROXYTUNNEL = 1: force tunneling through the HTTP proxy — libcurl issues an HTTP CONNECT to the proxy and then pipes raw TCP (so any protocol, including HTTPS, is tunneled).
  • Use tunnel mode when you need end‑to‑end TCP passthrough (e.g. FTP or non‑HTTP protocols) or when the proxy must not see/modifiy the HTTP request; note many proxies only allow CONNECT to specific ports (commonly 80/443). [1][2][3]

Examples

  • Default (no tunnel): proxy receives "GET http://host/..." for HTTP targets; for HTTPS targets libcurl still uses CONNECT automatically. [1][2]
  • Forced tunnel: curl_easy_setopt(..., CURLOPT_HTTPPROXYTUNNEL, 1L) — sends "CONNECT host:port" then forwards traffic. [1][3]

Sources

  • curl/libcurl CURLOPT_HTTPPROXYTUNNEL documentation. [1]
  • Practical explanation / proxy tunneling behavior (curl guide). [2]
  • Discussion/example about CONNECT and proxy handling. [3]

🌐 Web query:

curl CONNECT tunneling proxy HTTP vs HTTPS URLs

💡 Result:

Short answer

  • curl uses an HTTP proxy differently depending on the target URL:
    • http:// URL → curl sends an absolute-form HTTP request to the proxy (proxy can read/modify the request/response).
    • https:// URL → curl by default issues an HTTP CONNECT to the proxy and tunnels a raw TCP stream; curl then performs TLS directly with the origin (proxy cannot see decrypted HTTPS unless it MITM’s it). [1][2]

Additional notes / controls

  • You can force tunneling for non-HTTPS (or all traffic) with --proxytunnel (or CURLOPT_HTTPPROXYTUNNEL in libcurl). That makes curl send CONNECT to the proxy and pass bytes through the tunnel. [2][3]
  • The proxy URL scheme matters for the connection between you and the proxy:
    • -x http://proxy:port → plaintext connection to the proxy.
    • -x https://proxy:port → TLS to the proxy (an “HTTPS proxy”); the proxy-to-origin behavior (CONNECT for https:// targets) is the same, but the client→proxy leg is encrypted. [4][1]

Common failures

  • If the proxy does not support CONNECT (or blocks the destination/port), HTTPS through that proxy will fail (405/403 or connection drop). Use -v to see the CONNECT exchange. [3]

Sources

  1. curl docs — HTTP proxies and tunneling. [everything.curl.dev].
  2. libcurl option CURLOPT_HTTPPROXYTUNNEL (man page).
  3. curl proxy guide / troubleshooting (examples of CONNECT behaviour).
  4. curl docs — HTTPS proxy explanation.

The conditional logic is correct in principle, but becomes dead code for the hardcoded HTTP URL.

The cURL behavior is verified: CURLOPT_HTTPPROXYTUNNEL=0 prevents CONNECT tunneling for HTTP URLs, while =1 enables it for HTTPS. However, since $checkurl is hardcoded to http://www.msftncsi.com/ncsi.txt, the condition parse_url($checkurl, PHP_URL_SCHEME) === 'https' will always be false, so CURLOPT_HTTPPROXYTUNNEL will always be disabled. Either remove the conditional and hardcode it to false, or make $checkurl configurable to support both HTTP and HTTPS URLs in practice.

🤖 Prompt for AI Agents 
In `@emhttp/plugins/dynamix/include/OutgoingProxyLib.php` around lines 61 - 71,
The current $checkurl is hardcoded to "http://www.msftncsi.com/ncsi.txt" which
makes the $isHttps check and curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, $isHttps)
dead code; update the code to either (A) make $checkurl configurable (e.g.,
accept it from a function parameter or configuration value) so
parse_url($checkurl, PHP_URL_SCHEME) can be 'http' or 'https' at runtime and the
existing $isHttps logic works, or (B) if only HTTP will ever be used, remove the
conditional and explicitly set CURLOPT_HTTPPROXYTUNNEL to false to reflect the
intended behavior; adjust references to $checkurl and $isHttps accordingly.

curl_setopt($ch, CURLOPT_PROXY, $proxyUrl); /* Url is a proxy. */
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); /* Return transfer as a string. */

Expand Down