[GH-ISSUE #4584] [Feature Request] add support for https proxy (frpc -> httpsProxy -> frps)

gitea-mirror commented

2026-05-05 14:19:34 -06:00

Owner

Copy link

Originally created by @ofirc on GitHub (Dec 15, 2024).
Original GitHub issue: https://github.com/fatedier/frp/issues/4584

Describe the feature request

I saw both in the README.md, the frpc.toml sample, and the golib code itself (link1, link2) that we only support: socks5, http and ntlm:

var supportedDialProxyTypes = []string{"socks5", "http", "ntlm"}

But what if I have an https proxy, e.g. https://my.proxy.server.com:8888 rather than http://my.proxy.server.com:8888?
Was wondering why isn't it supported and what would it take to support an HTTPS proxy?
For the sake of clarity, I don't care about MitM (man-in-the-middle) proxies, I'm talking about a scenario where the frpc (frp client) connects to frps (frp server) through a proxy with an https:// protocol scheme.

I'm guessing that from the user's perspective we'd need to (1) pass a custom CA (as most likely it's a local proxy with a private PKI), (2) add TLS handshake support to golib and the rest should be the same, i.e. pass a CONNECT to frps over that established connection.

I know that it might not make a lot of sense to everyone to actually use an https proxy, but nevertheless wondering what's the dev effort / design considerations that were led to not supporting it.

Thanks!
Ofir

Describe alternatives you've considered

No response

Affected area

Docs
Installation
Performance and Scalability
Security
User Experience
Test and Release
Developer Infrastructure
Client Plugin
Server Plugin
Extensions
Others

Originally created by @ofirc on GitHub (Dec 15, 2024). Original GitHub issue: https://github.com/fatedier/frp/issues/4584 ### Describe the feature request I saw both in the [README.md](https://github.com/fatedier/frp?tab=readme-ov-file#connecting-to-frps-via-proxy), the [frpc.toml sample](https://github.com/fatedier/frp/blob/dev/conf/frpc_full_example.toml#L91), and the golib code itself ([link1](https://github.com/fatedier/golib/blob/master/net/dial.go#L54), [link2](https://github.com/fatedier/golib/blob/master/net/dial_option.go#L33)) that we only support: socks5, http and ntlm: `var supportedDialProxyTypes = []string{"socks5", "http", "ntlm"} ` But what if I have an https proxy, e.g. `https://my.proxy.server.com:8888` rather than `http://my.proxy.server.com:8888`? Was wondering why isn't it supported and what would it take to support an HTTPS proxy? For the sake of clarity, I don't care about MitM (man-in-the-middle) proxies, I'm talking about a scenario where the frpc (frp client) connects to frps (frp server) through a proxy with an `https://` protocol scheme. I'm guessing that from the user's perspective we'd need to (1) pass a custom CA (as most likely it's a local proxy with a private PKI), (2) add TLS handshake support to `golib` and the rest should be the same, i.e. pass a CONNECT to frps over that established connection. I know that it might not make a lot of sense to everyone to actually use an https proxy, but nevertheless wondering what's the dev effort / design considerations that were led to not supporting it. Thanks! Ofir ### Describe alternatives you've considered _No response_ ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [ ] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror

2026-05-05 14:19:34 -06:00

closed this issue
added the
lifecycle/stale
label

gitea-mirror commented

2026-05-05 14:19:37 -06:00

Author

Owner

Copy link

@fatedier commented on GitHub (Dec 16, 2024):

I personally haven’t used an HTTPS proxy much myself, but if the behavior is similar to that of an HTTP proxy, we should be able to support it. Would you be able to help modify the code and test/verify it?

@fatedier commented on GitHub (Dec 16, 2024): I personally haven’t used an HTTPS proxy much myself, but if the behavior is similar to that of an HTTP proxy, we should be able to support it. Would you be able to help modify the code and test/verify it?

gitea-mirror commented

2026-05-05 14:19:37 -06:00

Author

Owner

Copy link

@ofirc commented on GitHub (Dec 16, 2024):

Yes, I will update this issue once I change the code and test it.
Thanks!

@ofirc commented on GitHub (Dec 16, 2024): Yes, I will update this issue once I change the code and test it. Thanks!

gitea-mirror commented

2026-05-05 14:19:38 -06:00

Author

Owner

Copy link

@xqzr commented on GitHub (Dec 17, 2024):

if the behavior is similar to that of an HTTP proxy, we should be able to support it.

HTTPS 代理在 HTTP/1.1 版本下，只是添加了 TLS，即 HTTP+TLS

@xqzr commented on GitHub (Dec 17, 2024): > if the behavior is similar to that of an HTTP proxy, we should be able to support it. HTTPS 代理在 HTTP/1.1 版本下，只是添加了 TLS，即 HTTP+TLS

gitea-mirror commented

2026-05-05 14:19:39 -06:00

Author

Owner

Copy link

@ofirc commented on GitHub (Jan 22, 2025):

@fatedier I've forked golib and added a new commit to it:
6c2503ed9c

Let me know what you think of the semantics of the change.
I'm going to test it against stunnel + tinyproxy using this project:
https://github.com/ofirc/go-mtls-proxy

It's going to be interesting to see it working in practice :-)

I'll contribute it back to the repo once it's working. Appreciate your feedback!

@ofirc commented on GitHub (Jan 22, 2025): @fatedier I've forked golib and added a new commit to it: https://github.com/ofirc/golib/commit/6c2503ed9c1271e76a6af6634a533d7c5b342014 Let me know what you think of the semantics of the change. I'm going to test it against stunnel + tinyproxy using this project: https://github.com/ofirc/go-mtls-proxy It's going to be interesting to see it working in practice :-) I'll contribute it back to the repo once it's working. Appreciate your feedback!

gitea-mirror commented

2026-05-05 14:19:39 -06:00

Author

Owner

Copy link

@fatedier commented on GitHub (Jan 22, 2025):

You can directly submit a PR to the golib repository for easier review.

@fatedier commented on GitHub (Jan 22, 2025): You can directly submit a PR to the golib repository for easier review.

gitea-mirror commented

2026-05-05 14:19:40 -06:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 21, 2025):

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

@github-actions[bot] commented on GitHub (Nov 21, 2025): Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

gitea-mirror commented

2026-05-05 14:19:40 -06:00

Author

Owner

Copy link

@shani1998 commented on GitHub (Mar 25, 2026):

Hi @fatedier/ @blizard863 , the use case is still very relevant. Many on-prem environments rely on forward proxies that require TLS (i.e., https:// scheme proxies), and golib currently only handles http, socks5, and ntlm.

I've implemented HTTPS proxy support in golib PR, TLS handshake before CONNECT, with custom CA certificate support and will be opening a PR to fatedier/golib as you suggested in this thread.

Thanks to @ofirc for the initial groundwork.

@shani1998 commented on GitHub (Mar 25, 2026): Hi @fatedier/ @blizard863 , the use case is still very relevant. Many on-prem environments rely on forward proxies that require TLS (i.e., https:// scheme proxies), and golib currently only handles http, socks5, and ntlm. I've implemented HTTPS proxy support in golib [PR](https://github.com/fatedier/golib/pull/33), TLS handshake before CONNECT, with custom CA certificate support and will be opening a PR to fatedier/golib as you suggested in this thread. Thanks to @ofirc for the initial groundwork.

No Branch/Tag specified