CONNECT a.b.c.d:443
CONNECT is the HTTP method used when a client requests a HTTPS connection through a proxy (usually), although it can be used to tunnel other TCP connections through a HTTP proxy as well.
It's up to the client to tell the proxy what to do (CONNECT and possibly Host header). It's up to the proxy to accept or deny that request.
So, if the request with the port in the Host header works and the other request does not work, your proxy dislikes the later for whatever reason (configuration, product limitation).
I did some tests with curl and a proxy and my proxy does not care about the port number in the Host header, at least not for the standard ports.
curl adds the port number to the Host header, even for 'standard' https requests.
C:\tools\curl>curl -k -v –proxy 172.16.200.1:8080 https://ask.wireshark.org
- About to connect() to proxy 172.16.200.1 port 8080 (#0)
- Connected to 172.16.200.1 (172.16.200.1) port 8080 (#0)
- Establish HTTP proxy tunnel to ask.wireshark.org:443
> CONNECT ask.wireshark.org:443 HTTP/1.1
> Host: ask.wireshark.org:443
> User-Agent: curl/7.21.3 (i386-pc-win32) libcurl/7.21.3 OpenSSL/0.9.8q zlib/1.2.5
Force a Host header without port.
C:\tools\curl>curl -k -v -H "Host: ask.wireshark.org" –proxy 172.16.200.1:8080
- Connected to 172.16.200.1 (172.16.200.1) port 8080 (#0)
- Establish HTTP proxy tunnel to ask.wireshark.org:443
> CONNECT ask.wireshark.org:443 HTTP/1.1
> Host: ask.wireshark.org
> User-Agent: curl/7.21.3 (i386-pc-win32) libcurl/7.21.3 OpenSSL/0.9.8q zlib/1.2.5
Result: Both requests were accepted by the proxy.
From RFC 2616:
The Host field value MUST represent
the naming authority of the origin server or gateway given by the
original URL. This allows the origin server or gateway to
differentiate between internally-ambiguous URLs, such as the root "/"
URL of a server for multiple host names on a single IP address.
Host = "Host" ":" host [ ":" port ] ; Section 3.2.2
A "host" without any trailing port information implies the default
port for the service requested (e.g., "80" for an HTTP URL).
I read this the following way: If the port in the URI/URL is different than the standard port (80,443), it must be added to the Host header as well. If it is the standard port, you ‘can’ add it, however it is not required.
Is it must to specify host header with port number when the connection is not to default(port 80)?
I don’t think so, if it is one of the standard ports (80,443). However, you can add it without creating problems as long as the port is the same as in the CONNECT statement.
So, your problem is probably a matter of the proxy configuration or a matter of proxy functionality. Please ask the vendor of that software.
UPDATE
I just tried it with a sample host on the internet (the first I found with google). Both my proxy and the server do not complain, if I omit the port number in the Host header, even if it is not one of the ‘standard ports’.
HINT: the output is partly anonymized
C:\tools\curl>curl -k -v –proxy 172.16.200.1:8080 -H "Host: www.bbbb.org" https://www.bbbb.org:8000/
- About to connect() to proxy 172.16.200.1 port 8080 (#0)
- Trying 172.16.200.1… connected
- Connected to 172.16.200.1 (172.16.200.1) port 8080 (#0)
- Establish HTTP proxy tunnel to www.bbbb.org:8000
> CONNECT www.bbbb.org:8000 HTTP/1.1
> User-Agent: curl/7.21.3 (i386-pc-win32) libcurl/7.21.3 OpenSSL/0.9.8q zlib/1.2
.5
> Proxy-Connection: Keep-Alive
> Host: www.bbbb.org
>
< HTTP/1.1 200 Connection established
< Connection: Keep-Alive
<
- Proxy replied OK to CONNECT request
- SSLv3, TLS handshake, Client hello (1):
- SSLv3, TLS handshake, Server hello (2):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Server finished (14):
- SSLv3, TLS handshake, Client key exchange (16):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSL connection using AES256-SHA
- Server certificate:
-
subject: C=US; ST=OHIO; L=CLEVELAND; O=BBBBBBB; CN=www.bbbb.org
-
start date: 2013-05-09 00:00:00 GMT
-
expire date: 2015-07-02 23:59:59 GMT
-
subjectAltName: www.bbbb.org matched
-
issuer: C=US; O=Thawte, Inc.; CN=Thawte SGC CA - G2
-
SSL certificate verify result: self signed certificate in certificate c
hain (19), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.21.3 (i386-pc-win32) libcurl/7.21.3 OpenSSL/0.9.8q zlib/1.2
.5
> Accept: /
> Host: www.bbbb.org
>
< HTTP/1.1 200 OK
< Date: Tue, 16 Jul 2013 10:28:01 GMT
< Last-Modified: Sun, 09 Jun 2013 03:12:02 GMT
< ETag: "0-50e-51b3f282"
< Accept-Ranges: bytes
< Content-Length: 1294
< Content-Type: text/html
<
<html>
<head>
<title>E-Business Suite Home Page Redirect</title>
<meta http-equiv="REFRESH" content="1; URL=<a href=" https:="" www.bbbb.org:8000="" oa_html="" appslogin"="">">https://www.bbbb.org:8000/OA_HTML/AppsLogin">
</head>
<body>
REMOVED
</body>
</html>
- Connection #0 to host 172.16.200.1 left intact
- Closing connection #0
- SSLv3, TLS alert, Client hello (1):
Regards
Kurt
answered 16 Jul ‘13, 02:59
Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%
Kurt, Extremely thankful for your reply.This is igniting interest to keep on learning/contributing from/to this community.I will check with the vendor of that software for any anomaly and update the thread. Thanks again.
Thanks!
BTW: Just for my interest. Is it possible to name the vendor here?
I’m interested in the answer of their support. I guess (based on experience with all kinds of vendors), they will first claim, that it is not RFC compliant to omit the port. And I’m not really sure either (see above).
Kurt i just deleted the application vendor name for privacy reasons(my friend is following this thread too:))I will get back to you once the proxy folks respond to this issue.