Skip to content

How to access Tinyproxy via encrypted HTTPS to hide basic auth and requested SNI? #601

New issue
New issue
Open
Open
How to access Tinyproxy via encrypted HTTPS to hide basic auth and requested SNI?#601
@sergiks

Description

@sergiks
sergiks
opened on Mar 20, 2026

Tinyproxy version

tinyproxy 1.11.2

Issue

I want to achieve encrypted HTTPS access from browser to Tinyproxy to hide HTTP basic auth credentials and proxied SNI header. Basically wrap HTTPS into another HTTPS.

Tinyproxy runs inside a Docker container behind Traefik. There's a domain name and LE certificate for the proxy endpoint, in example tinyproxy.example.com. It listens on port 443 and terminates TLS - then passes it to Tinyproxy:8888

What could possible go wrong

This does not work the way I imagined:

curl -vv -x https://username:password@tinyproxy.example.com  https://icanhazip.com 

* Host tinyproxy.example.com:443 was resolved.
* IPv6: (none)
* IPv4: 1.2.3.4
*   Trying 1.2.3.4:443...
* Connected to tinyproxy.example.com (1.2.3.4) port 443
* ALPN: curl offers http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Proxy certificate:
*  subject: CN=tinyproxy.example.com
*  start date: Mar 20 08:34:38 2026 GMT
*  expire date: Jun 18 08:34:37 2026 GMT
*  subjectAltName: host "tinyproxy.example.com" matched cert's "tinyproxy.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=R13
*  SSL certificate verify ok.
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user 'username'
* Establish HTTP proxy tunnel to icanhazip.com:443
> CONNECT icanhazip.com:443 HTTP/1.1
> Host: icanhazip.com:443
> Proxy-Authorization: Basic xxxxxx=
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Fri, 20 Mar 2026 09:59:49 GMT
< Content-Length: 19
< 
* CONNECT tunnel failed, response 404
* Closing connection
curl: (56) CONNECT tunnel failed, response 404

Works with plain HTTP to proxy

Same Tinyproxy service DOES work as expected when not using HTTPS for the proxy itself — accessed via the exposed direct port of Tinyproxy:

curl -vv -x http://username:password@tinyproxy.example.com:8888  https://icanhazip.com

* Host tinyproxy.example.com:8888 was resolved.
* IPv6: (none)
* IPv4: 1.2.3.4
*   Trying 1.2.3.4:8888...
* Connected to tinyproxy.example.com (1.2.3.4) port 8888
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Proxy auth using Basic with user 'username'
* Establish HTTP proxy tunnel to icanhazip.com:443
> CONNECT icanhazip.com:443 HTTP/1.1
> Host: icanhazip.com:443
> Proxy-Authorization: Basic xxxxxxx=
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< Proxy-agent: tinyproxy/1.11.2
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=icanhazip.com
*  start date: Feb 14 02:24:46 2026 GMT
*  expire date: May 15 03:24:40 2026 GMT
*  subjectAltName: host "icanhazip.com" matched cert's "icanhazip.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://icanhazip.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: icanhazip.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: icanhazip.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 200 
< date: Fri, 20 Mar 2026 09:58:27 GMT
< content-type: text/plain
< content-length: 14
< access-control-allow-origin: *
< access-control-allow-methods: GET
< set-cookie: __cf_bm=xxxxxx; HttpOnly; Secure; Path=/; Domain=icanhazip.com; Expires=Fri, 20 Mar 2026 10:28:27 GMT
< server: cloudflare
< cf-ray: xxxxxx-XXXXX
< alt-svc: h3=":443"; ma=86400
< 
1.2.3.4
* Connection #0 to host tinyproxy.example.com left intact

Question

Is it possible to access Tinyproxy with TLS terminated?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions