CONNECT request method
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
TheCONNECT HTTP method requests that aproxy establish a HTTP tunnel to a destination server, and if successful, blindly forward data in both directions until the tunnel is closed.
The request target is unique to this method in that it consists of only the host and port number of the tunnel destination, separated by a colon (seeSyntax for details).Any2XX successful response status code means that the proxy will switch to 'tunnel mode' and any data in the success response body is from the server identified by the request target.
If a website is behind a proxy and it's enforced via network rules that all external traffic must pass through the proxy, theCONNECT method allows you to establish aTLS (HTTPS) connection with that website:
- The client asks the proxy to tunnel theTCP connection to the desired destination.
- The proxy server makes a secure connection to the server on behalf of the client.
- Once the connection is established, the proxy server continues to relay the TCP stream to and from the client.
Aside from enabling secure access to websites behind proxies, a HTTP tunnel provides a way to allow traffic that would otherwise be restricted (SSH or FTP) over the HTTP(S) protocol.
CONNECT is a hop-by-hop method, meaning proxies will only forward theCONNECT request if there is another inbound proxy in front of the origin server since most origin servers do not implementCONNECT.
Warning:If you are running a proxy that supportsCONNECT, restrict its use to a set of known ports or a configurable list of safe request targets.There are significant risks in establishing a tunnel to arbitrary servers, particularly when the destination is a well-known or reserved TCP port that is not intended for Web traffic.A loosely-configured proxy may be abused to forward traffic such as SMTP to relay spam email, for example.
| Request has body | No |
|---|---|
| Successful response has body | No |
| Safe | No |
| Idempotent | No |
| Cacheable | No |
| Allowed inHTML forms | No |
In this article
Syntax
CONNECT <host>:<port> HTTP/1.1Examples
>Proxy authorization
A request for proxy servers that require authorization to create a tunnel looks as follows.See theProxy-Authorization header for more information.
CONNECT server.example.com:80 HTTP/1.1Host: server.example.com:80Proxy-Authorization: basic aGVsbG86d29ybGQ=Specifications
| Specification |
|---|
| HTTP Semantics> # CONNECT> |
Browser compatibility
See also
- HTTP request methods
- HTTP response status codes
- HTTP headers
- Proxy server glossary entry
Proxy-Authorizationheader- How To Use SSH Over An HTTP Proxy dimoulis.net (2023)