Can't proxy traffic with no SNI (i.e. can't curl an IP address directly) #41
Description
Hi,
I've just run into the same symptoms as #14 it seems to still be an issue.
I'm using the latest revision (37) of aproxy from charmhub. The snap version is 0.2.5.
These are my nftables rules:
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip aproxy {
set excluded_nets {
type ipv4_addr
flags interval
auto-merge
elements = { 10.151.0.0-10.152.255.255, 10.156.0.0/16,
127.0.0.0/8 }
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip daddr @excluded_nets return
tcp dport 1-65535 counter packets 0 bytes 0 dnat to 10.151.190.52:8443
}
chain output {
type nat hook output priority mangle; policy accept;
ip daddr @excluded_nets return
tcp dport 1-65535 counter packets 2 bytes 120 dnat to 10.151.190.52:8443
}
chain input {
type filter hook input priority filter; policy accept;
iif "lo" accept
ip saddr 10.151.190.52 tcp dport 8443 accept
tcp dport 8443 drop
}
}
Attempting to connect to sites by IP (no SNI) throws the same SSL_ERROR_SYSCALL origianlly reported:
curl https://10.146.34.205
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 10.146.34.205:443
The relevant aproxy log:
Dec 19 08:41:49 juju-8b2631-prod-canonical-vault-ps7-2 aproxy.aproxy[3803015]: 2025/12/19 08:41:49 ERROR failed to connect to http proxy src=10.151.190.52:56104 original_dst=10.146.34.205:443 host=:443 error="proxy return 400 response for connect request"
The relevant squid proxy log:
1766133717.177 0 10.151.190.52 NONE_NONE/400 3685 CONNECT :443 - HIER_NONE/- text/html