Proxy support does not work properly with CONNECT on https requests

[gm-ghanover]

Describe the bug

Using Axios 0.26.1 behind a corporate HTTP tunneling proxy to an HTTPS destination, once the proxy connection is made, a POST method is issued, rather than a CONNECT to establish the TLS tunnel to the destination host where the POST should be sent. Result is Error: socket hang up, as the proxy expects a CONNECT to be issued and drops the connection

Specifically, using wireshark to monitor the activity of the script goes as follow:

TCP SYN
< TCP SYN, ACK
TCP ACK
HTTP POST
< TCP FIN, ACK
TCP ACK

If you use curl with the same environment, the packets are as follows:

TCP SYN
< TCP SYN, ACK
TCP ACK
HTTP CONNECT
< HTTP Connection established
TCP ACK
TLS Client Hello
< TLS Server Hello
... encrypted POST and response follows

To Reproduce

export http_proxy="http://user:password@10.123.173.125:80"
export https_proxy="http://user:password@10.123.173.125:80"

http.post('https://api.github.com/user/repos', {});

Expected behavior

When connecting to an HTTPS server through a tunneling HTTP proxy, the CONNECT method should be used to establish the TLS handshake before issuing the POST

Environment

• Axios Version 0.26.1
• Adapter HTTP
• Node.js Version 14.8.0
• OS: Windows 10 (10.0.19042.1526)

[gm-ghanover]

FWIW, https://github.com/thib3113/axios-proxy-tunnel/blob/master/src/axios-proxy-tunnel.ts is an example that works with an older version of axios, doing a modification of axiosProxyTunnel is a usable workaround

[ahszww]

This problem has existed for a long time, hope it will be solved

[srdi]

I've also faced this issue.
It seems hpagent package help to fix this issue.

Here is example of usage:

const axios = require('axios');
const { HttpProxyAgent, HttpsProxyAgent } = require('hpagent')

const httpAgent = new HttpProxyAgent({
    proxy: 'proxy url'
})
const httpsAgent = new HttpsProxyAgent({
    proxy: 'proxy url'
})

const instance = axios.create({ httpAgent, httpsAgent });

instance.post('http://example.com')

[Nevon]

Why is the "possible bug" label removed? Clearly the automatic proxy configuration is incorrect. If the protocol is HTTPS and the HTTPS_PROXY environment variable set, the client should use the tunnel protocol by sending a CONNECT request, wait to get a 200 OK back and then send the original request on the same connection.

[Yueren-Wang]

Is there an update for this issue? which axios version should we use to workaround?

[srdi]

Is there an update for this issue? which axios version should we use to workaround?

This worked for me:

I've also faced this issue. It seems hpagent package help to fix this issue.

Here is example of usage:

const axios = require('axios');
const { HttpProxyAgent, HttpsProxyAgent } = require('hpagent')

const httpAgent = new HttpProxyAgent({
    proxy: 'proxy url'
})
const httpsAgent = new HttpsProxyAgent({
    proxy: 'proxy url'
})

const instance = axios.create({ httpAgent, httpsAgent });

instance.post('http://example.com')

[ppati000]

If anyone is interested in trying out HTTPS-over-HTTP support in Axios, feel free to check #5037. The implementation has some limitations (no redirects) but maybe it still fits your use cases. Would love to hear back from you!

Edit: Not directly related to this issue, but please note that there is currently (as of 1.1.2) some trouble around a breaking change in the proxy configuration: #5079

[topquarck]

I've also faced this issue. It seems hpagent package help to fix this issue.

Here is example of usage:

const axios = require('axios');
const { HttpProxyAgent, HttpsProxyAgent } = require('hpagent')

const httpAgent = new HttpProxyAgent({
    proxy: 'proxy url'
})
const httpsAgent = new HttpsProxyAgent({
    proxy: 'proxy url'
})

const instance = axios.create({ httpAgent, httpsAgent });

instance.post('http://example.com')

that didn't work with me, got 407 from proxy, although no proxy auth required,
however, using a different library other than axios, the equivalent code returned 200 without providing any proxy credentials
don't know what is the reason for axios/hpagent to make proxy return 407

[sebaplaza]

Can we just use proxy-agent to fix this ?

With this module we could have all proxy features enabled automatically.

I was having the same problem, and now everything works when i replace the agent.

proxy: false is needed, otherwise axios is trying to overwrite the agent.

const axios = require("axios").default;
const { ProxyAgent } = require("proxy-agent");

async function call() {
  const url = "https://api64.ipify.org?format=json";
  const agent = new ProxyAgent();
  const res = await axios.get(url, { httpAgent:agent, httpsAgent:agent, proxy: false });
  console.log(res.data);
}
call();

HTTPS_PROXY=http://proxy:3128 node example.js

[Nevon]

Yes, you can pass in a working agent implementation yourself. The problem is that Axios currently has a built-in implementation that is broken, so if you have the HTTPS_PROXY environment variable set it will fail by default.

[sebaplaza]

Yes @Nevon, but i think axios could use proxy-agent internally. There is no need to have a built-in implementation of this.

Even if the proxy is not very difficult to understand, there is a lot of little details that can lead to multiple kind of bugs.

[cnlab-software-ag]

Is there any progress on this issue?

• Axios not properly supporting https requests over a proxy prevents many depending products from working properly.
• In my case, I can not upgrade to a recent release of n8n because they dropped the alternative library on the step to 1.x.

Please fix this as this plays a central role in corporate environments.