2

So I know about basic proxies, and how they transparently forward the connection to destination. I just couldn't understand how chaining proxies work.

For example I have this chain: proxy1 -> proxy2 -> proxy3 -> proxy4 -> destination.

As in normal single proxies, our request is sent to the proxy, which then forwards it to the destination, and sends the response back. But in proxy-chaining, how does the proxy1 know that it has to forward the request to proxy2, and so on, instead of forwarding it directly to the destination?

Is it because of some kind of headers in the requests we send to proxy-chain, which appropriately tells proxies to forward the requests to next proxy?

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
jazz
  • 21
  • 1
  • 1
  • 2

1 Answers1

1

I think it's about the "CONNECT" HTTP method.

In this mechanism, the client asks an HTTP proxy server to forward the TCP connection to the desired destination. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.

The last sentence is the key. You ask proxy1 to proxy the connection to proxy2. Then everything that follows goes to proxy2 through proxy1 which doesn't interpret anymore, so you ask to proxy to proxy3 and this request is caught and interpreted by proxy2. The next CONNECT request (to proxy to proxy4) will pass through proxy1 and proxy2, it will be interpreted by proxy3 – and so on. Every proxy in chain interprets exactly one CONNECT request.

After all the proxies were properly set up with a chain of initial packets, anything that uses a two-way TCP connection can be passed through a CONNECT tunnel.

Beware that

Not all HTTP proxy servers support this feature, and even those that do may limit the behaviour.

Final note: while experimenting, you may have troubles chaining proxies if the program you run uses GET instead of CONNECT. GET doesn't allow chaining, this is covered here. Your confusion about proxy-chaining may be because you are more familiar with (i.e. you think in terms of) the GET mechanism.

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
  • 1 up for this! So, what proxy2 gets is the same *payload & headers* as proxy1 and because proxy2 knows he is not the destination it simply sends the same *payload & headers* to proxy3? -> may be you could also comment on this detail, thanks. – Adrian Jan 16 '19 at 09:20
  • I was talking only about the inițial request. – Adrian Jan 16 '19 at 10:12
  • @adrhc The initial request is interpreted by `proxy1` and doesn't get to `proxy2`. – Kamil Maciorowski Jan 16 '19 at 10:14
  • So basically is proxy1 CONNECT to proxy2 which CONNECT to proxy3 which CONNECT to proxy4 till reaching the target? – Adrian Jan 16 '19 at 10:22
  • 1
    @adrhc Yes. A subtlety though: After `proxy1` agrees to act as a CONNECT proxy for you, it takes whatever payload you send and sends to `proxy2` as if `proxy1` was the author. The next request you send reaches `proxy2`. In the example scenario this is also a CONNECT request. `proxy2` gets it from `proxy1` and may even not know you exist. From its point of view `proxy1` asks it to CONNECT to `proxy3`. At the same time `proxy1` is unaware it asks anything (unless it peeks into what you send). So neither proxy "consciously" negotiates with the next. You negotiate on behalf of each one in chain. – Kamil Maciorowski Jan 16 '19 at 10:42
  • So, there is a succession of requests: initially `client` CONNECT `proxy1` in order to reach `proxy2`. Then there is `client` CONNECT `proxy2` in order to reach `proxy3` (at this point `proxy1` just lets the communication to pass through between `client` and `proxy2`). And so on ... – Adrian Jan 16 '19 at 10:55
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/88336/discussion-between-kamil-maciorowski-and-adrhc). – Kamil Maciorowski Jan 16 '19 at 10:56