Tinyproxy CONNECT Method Refusal: Resolving HTTP 403 Errors for Port 80 Connections


4 views

The error message clearly indicates Tinyproxy is refusing CONNECT requests on port 80:

INFO Oct 22 11:39:59 [13230]: Refused CONNECT method on port 80

Tinyproxy's default configuration only allows CONNECT method on ports 443 (HTTPS) and 563 (SNEWS). This security measure prevents misuse but causes problems when clients attempt HTTP connections.

Add port 80 to the ConnectPort directive in /etc/tinyproxy/tinyproxy.conf:

# Original security-conscious defaults
ConnectPort 443
ConnectPort 563

# Add this line to permit HTTP connections
ConnectPort 80

After modifying the config:

  1. Restart Tinyproxy: sudo systemctl restart tinyproxy
  2. Test with curl: curl -x http://yourproxy:3128 http://example.com
  3. Check logs: tail -f /var/log/tinyproxy/tinyproxy.log

While opening port 80 solves the immediate problem, consider these alternatives for production environments:

  • Use HTTPS endpoints exclusively (recommended)
  • Implement IP-based restrictions with Allow/Deny rules
  • Set up authentication: BasicAuth user password

For Proxifier specifically, ensure these settings match:

Proxy Server: yourproxy:3128
Protocol: HTTP
Enable "HTTPS" option only for SSL connections

If modifying CONNECT ports isn't viable:

# Use socat as tunnel alternative
socat TCP4-LISTEN:8080,fork PROXY:yourproxy:www.google.com:80,proxyport=3128

When debugging proxy connections, you might encounter this scenario in your Tinyproxy logs:

INFO Oct 22 11:39:59 [13230]: Refused CONNECT method on port 80
INFO Oct 22 11:39:59 [13230]: no entity

This occurs because Tinyproxy by default only allows CONNECT requests to specific ports (typically 443 and 563 for SSL). The restriction is security-conscious but can break legitimate use cases.

In your tinyproxy.conf, locate the ConnectPort directive. The standard SSL-enabled configuration looks like:

# Default SSL ports only
ConnectPort 443
ConnectPort 563

To enable CONNECT on port 80 (HTTP), you need to explicitly add it:

# Allow HTTP CONNECT requests
ConnectPort 80
ConnectPort 443
ConnectPort 563

Before enabling port 80 CONNECT, consider these security implications:

  • CONNECT on port 80 could be used to tunnel non-HTTP traffic
  • May expose internal services if misconfigured
  • Increases attack surface for proxy misuse

For development environments, you might use:

# Development-safe configuration
ConnectPort 80
ConnectPort 8080
ConnectPort 8888
ConnectPort 443
ConnectPort 563

After modifying your config, test with curl:

curl -x http://yourproxy:3128 -v http://example.com:80

For HTTPS (which always uses CONNECT):

curl -x http://yourproxy:3128 -v https://example.com

Here's a production-ready configuration snippet:

# Allow CONNECT to common web ports
ConnectPort 80
ConnectPort 443
ConnectPort 8443
ConnectPort 8080
ConnectPort 8888

# Security constraints
Allow 127.0.0.1
Allow 192.168.1.0/24
MaxClients 50
Timeout 300

Remember to restart Tinyproxy after changes:

sudo systemctl restart tinyproxy
# Or for SysV init systems:
sudo service tinyproxy restart

If problems continue, check:

  1. Firewall rules allowing outbound connections from proxy
  2. SELinux/apparmor permissions
  3. Proper Allow/Deny IP rules in config
  4. LogLevel set to Info or Connect for detailed logging

Example debug command:

tail -f /var/log/tinyproxy/tinyproxy.log | grep -i connect