Fix 3proxy HTTPS CONNECT Timeout on Ubuntu 24.04
TCP connects but HTTPS times out? Troubleshoot 3proxy logs, firewall, outbound connections. Complete guide for Ubuntu 24.04.
3proxy on Ubuntu 24.04: HTTPS CONNECT via proxy times out — port is reachable but 3proxy logs only show “Accepting connections”. What is wrong and how can I diagnose/fix it?
Configuration:
nserver 8.8.8.8 nserver 8.8.4.4 auth none log allow * proxy -n -p6901
Test command and output:
curl -v -x x.x.x.x:6901 https://www.google.com
* Trying x.x.x.x:6901...
* TCP_NODELAY set
* Connected to x.x.x.x (77.42.35.66) port 6901 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
* Operation timed out after 300493 milliseconds with 0 out of 0 bytes received
* Closing connection 0
3proxy log (only line shown):
251225134121.646 6901 00000 - 0.0.0.0:6901 0.0.0.0:0 0 0 0 Accepting connections [3911/3207919296]
The TCP connection to the proxy is established, but the CONNECT request stalls and times out and no further log entries appear. What are the likely causes and how should I troubleshoot this? Specifically:
- Are there common 3proxy configuration mistakes that would accept TCP connections but not process/forward CONNECT (HTTPS) requests?
- How do I enable more detailed 3proxy logging or debugging for CONNECT/HTTPS operations?
- What network/system checks should I perform (iptables/ufw/NAT, systemd socket activation, SELinux/AppArmor, capabilities, routing)?
- How can I verify whether 3proxy attempts outbound connections (recommended tcpdump/tshark commands or filters)?
- Is the “-n” option or any other proxy options likely relevant here?
What additional information or logs should I provide to help diagnose the issue?
3proxy on Ubuntu 24.04 is accepting TCP connections but failing to process HTTPS CONNECT requests, typically due to missing HTTPS allow rules in the configuration or network connectivity issues. To resolve this timeout problem where the proxy accepts connections but doesn’t forward requests, you need to enhance logging, verify firewall rules, and check outbound network connectivity.
Contents
- Common 3proxy Configuration Mistakes
- Enhanced Logging and Debugging
- Network and System Diagnostics
- Network Verification Commands
- Proxy Configuration Options
- Additional Diagnostic Steps
- Recommended Configuration Fix
- Conclusion
Common 3proxy Configuration Mistakes
The most common reason for 3proxy to accept TCP connections but not process HTTPS CONNECT requests is the missing explicit HTTPS port allowance in the configuration. Based on the official 3proxy documentation, the proxy server must be explicitly told to handle HTTPS traffic on port 443.
In your current configuration:
nserver 8.8.8.8 nserver 8.8.4.4 auth none log allow * proxy -n -p6901
The critical issue is the absence of the HTTPS rule. Without allow * * * 443 HTTPS, 3proxy will establish the TCP connection but drop the CONNECT request without forwarding it to the target server. This explains why you only see “Accepting connections” in the logs and nothing further.
Another potential mistake is having rules in the wrong order. The GitHub repository documentation emphasizes that allow rules must be placed before the proxy directive. The allow * rule is too broad and doesn’t specifically enable HTTPS tunneling.
Enhanced Logging and Debugging
To diagnose the 3proxy timeout issue, you need more detailed logging to see what’s happening with the CONNECT request. By default, 3proxy’s logging is minimal, which makes troubleshooting difficult.
First, add verbose logging to your 3proxy configuration with the logformat directive. According to the official documentation, you can include specific format characters to log CONNECT method details:
logformat "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
This format includes:
%t- timestamp%R- request (e.g., CONNECT www.google.com:443)%r- URL%U- user%C:%c- client/server IP:port
For even more detailed debugging, run 3proxy in debug mode by adding the -d option to your proxy line:
proxy -n -d -p6901
This will provide real-time information about connection processing and request handling, helping you identify exactly where the CONNECT request is being dropped.
Network and System Diagnostics
After addressing the configuration issues, you should check several network and system components that could prevent 3proxy from establishing outbound connections:
Firewall Rules
Ubuntu 24.04 uses ufw (Uncomplicated Firewall) by default. Even if your proxy port is open, outbound connections to port 443 might be blocked. Check your firewall status:
sudo ufw status
If port 443 is not allowed outbound, add the rule:
sudo ufw allow out 443
For iptables (if you’re using it directly), check:
sudo iptables -L -v -n
Look for rules in the OUTPUT chain that might be blocking port 443.
Systemd Socket Activation
Ubuntu 24.04 uses systemd for service management. Socket activation could cause binding issues. Check if 3proxy is being started via socket activation:
systemctl status 3proxy systemctl list-sockets | grep 3proxy
If socket activation is interfering, modify the service to disable it and run directly with the -i0.0.0.0 option to bind to all interfaces explicitly.
AppArmor and SELinux
Security modules like AppArmor might be blocking 3proxy operations. Check AppArmor status:
sudo aa-status
If AppArmor is enforcing, you may need to create a profile for 3proxy in /etc/apparmor.d/usr.bin.3proxy.
Capabilities
Verify that 3proxy has the necessary capabilities to bind to ports and make network connections:
getpcaps $(pgrep 3proxy)
This should show capabilities like cap_net_bind_service, which is required for binding to ports below 1024.
Network Verification Commands
To confirm whether 3proxy is actually attempting outbound connections, use packet capture tools like tcpdump or tshark. These commands will help you verify if CONNECT requests are being forwarded.
Basic tcpdump Command
Capture traffic on the proxy port to see if CONNECT requests are being received:
sudo tcpdump -i any -w proxy_capture.pcap port 6901
HTTPS Traffic Analysis
For detailed HTTPS CONNECT analysis, use tshark with HTTP protocol filtering:
sudo tshark -i any -f "tcp port 6901 or tcp port 443" -Y "http.request.method == CONNECT" -V
This will show you:
- CONNECT requests being sent by clients
- Whether 3proxy is forwarding these requests to target servers
- Any response or lack thereof
Outbound Connection Test
Capture all outbound traffic to port 443 to see if 3proxy is actually trying to connect:
sudo tcpdump -nn -s0 -i any -w outbound.pcap 'tcp port 443 and (dst net 8.8.8.8 or dst net 1.1.1.1)'
Replace the IP addresses with your actual DNS server or target websites.
Proxy Configuration Options
The -n option in your proxy line is correctly disabling NTLM authentication, which is appropriate for your setup using auth none. This option isn’t causing the timeout issue, but it’s good practice to include it.
Other relevant proxy options to consider:
-
Timeout Settings: Add timeout values to prevent indefinite hanging:
textSTRING_LONG 30
-
Flush Command: After making configuration changes, add:
textflush
This clears the ACL cache and ensures new rules take effect.
-
Parent Proxy: If you’re chaining through another proxy:
textallow * * * 443 HTTPS parent 1000 connect <upstream-proxy> 443
-
DNS Server: Ensure you have proper DNS resolution:
textnscache 65536
Additional Diagnostic Steps
If the configuration fixes don’t resolve the issue, perform these additional diagnostic steps:
Process Monitoring
Monitor the 3proxy process to see if it’s actually handling connections:
strace -p $(pgrep 3proxy) -e trace=network -s 1000
This will show system calls related to network operations, including connect() attempts.
Port Binding Verification
Confirm 3proxy is properly bound to port 6901:
sudo ss -tulpn | grep 6901
netstat -tulpn | grep 6901
Connectivity Test
Test basic network connectivity from the proxy server:
curl -v https://www.google.com telnet www.google.com 443
These tests should work independently of 3proxy to establish that outbound HTTPS connectivity is possible from the server.
Resource Usage
Check if the server has resource constraints:
free -h
df -h
top -p $(pgrep 3proxy)
Low memory or CPU could cause the proxy to drop connections.
Recommended Configuration Fix
Based on the analysis of your issue, here’s the corrected 3proxy configuration for Ubuntu 24.04:
nserver 8.8.8.8 nserver 8.8.4.4 nscache 65536 auth none log /var/log/3proxy.log D logformat "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T" allow * * * 80 HTTP allow * * * 443 HTTPS flush proxy -n -d -p6901
After making these changes:
-
Restart 3proxy:
bashsudo systemctl restart 3proxy -
Test the connection again with curl:
bashcurl -v -x x.x.x.x:6901 https://www.google.com
-
Check the enhanced log file:
bashtail -f /var/log/3proxy.log
The key changes are:
- Added explicit HTTP and HTTPS allow rules
- Added detailed logging with logformat
- Added flush to clear the ACL cache
- Added debug mode (-d) to the proxy line
- Specified a log file with daily rotation (D)
Conclusion
The primary issue with your 3proxy setup on Ubuntu 24.04 is the missing explicit HTTPS allow rule, which causes the proxy to accept TCP connections but drop CONNECT requests. By adding allow * * * 443 HTTPS to your configuration and implementing enhanced logging, you can properly diagnose and resolve the timeout issue.
For optimal 3proxy performance on Ubuntu, always ensure you have:
- Proper allow rules for all protocols and ports
- Detailed logging with appropriate logformat
- Firewall rules allowing outbound connections
- Regular flushing of the ACL cache after configuration changes
If you continue to experience issues, the packet capture commands provided will help you trace exactly where the CONNECT request is being dropped in the network path.