How HTTPS Connections Work Through Proxy Servers: The CONNECT Method

When using an HTTP proxy to connect to the network, the proxy server forwards client requests. However, since HTTPS requires a TLS handshake first, the proxy server cannot directly forward the request and needs to establish a connection first.

HTTP Proxy Request Forwarding

Proxy servers handle HTTP connections (those without TLS encryption) quite simply. For example, when a client wants to access example.com, it sends this request:

GET http://example.com/index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Proxy-Connection: keep-alive

This request first goes through the proxy server. The proxy parses the target URL and then forwards the complete request. After receiving the response, it forwards it back to the client.

HTTPS Connections

When TLS encryption is added, the problem becomes more complex. The proxy server cannot directly forward the client's request because it cannot establish a TLS connection with the server on behalf of the client. If it did, the client would detect TLS certificate errors.

The CONNECT method solves this problem. Like GET, it's an HTTP method, but it's specifically used to establish connections. Here's how it works:

1. The client sends a CONNECT request to the proxy server:

   1

   2

   3

   4

   CONNECT example.com:443 HTTP/1.1
   Host: example.com
   Proxy-Connection: keep-alive
   

2. After receiving the request, the proxy server establishes a TCP connection with the target server and then responds to the client:

   1

   2

   HTTP/1.1 200 Connection established
   

   The proxy server typically does not forward the CONNECT request itself to the target server

3. After this, the proxy server becomes a transparent TCP tunnel, blindly forwarding TCP packets. At this point, the client can perform the TLS handshake and transmit HTTPS data. Since the data is encrypted, the proxy server cannot view or modify the communication content.

   1

   2

   3

   4

   5

   6

   7

   8

   9

   10

   11

   12

   sequenceDiagram
   participant Client
   participant Proxy
   participant Server
   
   Client->>Proxy: CONNECT example.com:443
   Proxy->>Server: TCP Connection
   Server->>Proxy: Connection Established
   Proxy->>Client: HTTP/1.1 200 Connection established
   Note over Client,Server: TLS Handshake
   Note over Client,Server: Encrypted Communication
   

From the above process, we can see that the CONNECT method actually establishes a TCP tunnel and is not specifically designed for TLS. Therefore, any TCP request can be transmitted through this tunnel.

Do Transport Layer Proxies Need the CONNECT Method?

For proxies that work at the transport layer (TCP/UDP), such as SOCKS5 proxies, the CONNECT method is not needed. This is because they directly handle TCP and UDP connections and don't need to understand application layer protocols (like HTTP).

When clients connect to HTTPS websites through these proxies, the proxy server only needs to:

• Receive the client's connection request
• Establish a TCP connection with the target server
• Bridge the two connections