How to access Tinyproxy via encrypted HTTPS to hide basic auth and requested SNI? #601
Description
Tinyproxy version
tinyproxy 1.11.2
Issue
I want to achieve encrypted HTTPS access from browser to Tinyproxy to hide HTTP basic auth credentials and proxied SNI header. Basically wrap HTTPS into another HTTPS.
Tinyproxy runs inside a Docker container behind Traefik. There's a domain name and LE certificate for the proxy endpoint, in example tinyproxy.example.com. It listens on port 443 and terminates TLS - then passes it to Tinyproxy:8888
What could possible go wrong
This does not work the way I imagined:
curl -vv -x https://username:[email protected] https://icanhazip.com
* Host tinyproxy.example.com:443 was resolved.
* IPv6: (none)
* IPv4: 1.2.3.4
* Trying 1.2.3.4:443...
* Connected to tinyproxy.example.com (1.2.3.4) port 443
* ALPN: curl offers http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Proxy certificate:
* subject: CN=tinyproxy.example.com
* start date: Mar 20 08:34:38 2026 GMT
* expire date: Jun 18 08:34:37 2026 GMT
* subjectAltName: host "tinyproxy.example.com" matched cert's "tinyproxy.example.com"
* issuer: C=US; O=Let's Encrypt; CN=R13
* SSL certificate verify ok.
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user 'username'
* Establish HTTP proxy tunnel to icanhazip.com:443
> CONNECT icanhazip.com:443 HTTP/1.1
> Host: icanhazip.com:443
> Proxy-Authorization: Basic xxxxxx=
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Fri, 20 Mar 2026 09:59:49 GMT
< Content-Length: 19
<
* CONNECT tunnel failed, response 404
* Closing connection
curl: (56) CONNECT tunnel failed, response 404
Works with plain HTTP to proxy
Same Tinyproxy service DOES work as expected when not using HTTPS for the proxy itself — accessed via the exposed direct port of Tinyproxy:
curl -vv -x http://username:[email protected]:8888 https://icanhazip.com
* Host tinyproxy.example.com:8888 was resolved.
* IPv6: (none)
* IPv4: 1.2.3.4
* Trying 1.2.3.4:8888...
* Connected to tinyproxy.example.com (1.2.3.4) port 8888
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user 'username'
* Establish HTTP proxy tunnel to icanhazip.com:443
> CONNECT icanhazip.com:443 HTTP/1.1
> Host: icanhazip.com:443
> Proxy-Authorization: Basic xxxxxxx=
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
< Proxy-agent: tinyproxy/1.11.2
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=icanhazip.com
* start date: Feb 14 02:24:46 2026 GMT
* expire date: May 15 03:24:40 2026 GMT
* subjectAltName: host "icanhazip.com" matched cert's "icanhazip.com"
* issuer: C=US; O=Google Trust Services; CN=WE1
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://icanhazip.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: icanhazip.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: icanhazip.com
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< date: Fri, 20 Mar 2026 09:58:27 GMT
< content-type: text/plain
< content-length: 14
< access-control-allow-origin: *
< access-control-allow-methods: GET
< set-cookie: __cf_bm=xxxxxx; HttpOnly; Secure; Path=/; Domain=icanhazip.com; Expires=Fri, 20 Mar 2026 10:28:27 GMT
< server: cloudflare
< cf-ray: xxxxxx-XXXXX
< alt-svc: h3=":443"; ma=86400
<
1.2.3.4
* Connection #0 to host tinyproxy.example.com left intact
Question
Is it possible to access Tinyproxy with TLS terminated?