v1.9.4-99ab90b
← Back to Hex Proxies

HTTP CONNECT Tunnel

The HTTP CONNECT method transforms an HTTP proxy into a generic TCP tunnel. Originally designed for HTTPS, CONNECT enables any TCP protocol to traverse an HTTP proxy by establishing a transparent bidirectional byte stream.

Try It Now

Technical Details

The HTTP CONNECT method (RFC 7231, Section 4.3.6) requests that a proxy establish a TCP tunnel to a specified host and port. Protocol flow: 1. Client → Proxy (HTTP request): CONNECT target.example.com:443 HTTP/1.1 Host: target.example.com:443 Proxy-Authorization: Basic dXNlcjpwYXNz 2. Proxy opens TCP connection to target.example.com:443 3. Proxy → Client (HTTP response): HTTP/1.1 200 Connection Established (empty line) 4. TCP tunnel is now active — proxy relays bytes bidirectionally Key technical details: - The CONNECT request targets a host:port pair, not a URL path - After the 200 response, the HTTP protocol is no longer used on the client-proxy connection - The proxy acts as a TCP-level relay (no HTTP parsing of tunneled data) - Connection persistence: the tunnel remains open until either side closes the TCP connection - The proxy MAY include additional headers in its 200 response but MUST NOT include a message body - Failed connections return standard HTTP error codes (403 Forbidden, 502 Bad Gateway, etc.) Security considerations: - CONNECT can tunnel any TCP protocol, not just HTTPS - Proxy administrators should restrict CONNECT to known ports (typically 443) to prevent abuse - The proxy sees the target hostname:port but not the data inside the tunnel - Proxy authentication happens before the tunnel is established (in cleartext on the client-proxy connection)

Advantages

  • Enables any TCP protocol to traverse HTTP proxy infrastructure
  • End-to-end encryption maintained — proxy cannot inspect tunneled data
  • Widely supported — built into every HTTP proxy implementation
  • No special client software needed — standard HTTP client capabilities
  • Works with existing HTTP proxy authentication mechanisms
  • Transparent to the tunneled protocol — target server sees a normal connection

Disadvantages

  • Some proxies restrict CONNECT to port 443 only
  • Initial CONNECT request and proxy auth are unencrypted
  • No UDP support — TCP tunnel only
  • Proxy cannot cache or optimize tunneled traffic
  • Tunnel establishment adds one round-trip of latency
  • Some corporate firewalls inspect CONNECT requests and may block non-443 ports

Use Cases

  • 1HTTPS traffic through HTTP proxies (primary use case)
  • 2WebSocket connections through corporate proxies
  • 3SSH over HTTP proxy (tunneling port 22)
  • 4Database connections through HTTP proxy infrastructure
  • 5Any TCP protocol that must traverse an HTTP-only proxy
  • 6Bypassing firewalls that allow only HTTP proxy traffic

Code Example

# cURL — implicit CONNECT (automatic for HTTPS URLs)
curl -x http://USER:PASS@gate.hexproxies.com:8080 https://api.example.com/data

# Python — CONNECT is handled automatically for HTTPS
import requests
proxies = {"https": "http://USER:PASS@gate.hexproxies.com:8080"}
response = requests.get("https://api.example.com/data", proxies=proxies)
print(response.json())

# Node.js — explicit CONNECT tunnel with http module
const http = require('http');
const tls = require('tls');

const proxyReq = http.request({
  host: 'gate.hexproxies.com',
  port: 8080,
  method: 'CONNECT',
  path: 'api.example.com:443',
  headers: {
    'Proxy-Authorization': 'Basic ' + Buffer.from('USER:PASS').toString('base64'),
  },
});

proxyReq.on('connect', (res, socket) => {
  if (res.statusCode === 200) {
    const tlsSocket = tls.connect({ socket, servername: 'api.example.com' }, () => {
      tlsSocket.write('GET /data HTTP/1.1\r\nHost: api.example.com\r\n\r\n');
    });
    tlsSocket.on('data', (data) => console.log(data.toString()));
  }
});
proxyReq.end();

# SSH over HTTP CONNECT tunnel (ProxyCommand)
# ~/.ssh/config
Host remote-server
  ProxyCommand openssl s_client -connect gate.hexproxies.com:8080 \
    -proxy gate.hexproxies.com:8080 -quiet

The HTTP CONNECT Method Explained

The HTTP CONNECT method is a critical piece of internet infrastructure that most users never think about. Every time your browser accesses an HTTPS website through a proxy, it uses CONNECT to establish a secure tunnel. But CONNECT's capabilities extend far beyond HTTPS — it can tunnel any TCP protocol through HTTP proxy infrastructure.

Origins and Purpose

The CONNECT method was introduced to solve a specific problem: how to access HTTPS websites through an HTTP proxy. Since HTTP proxies operate at the application layer and need to read HTTP requests, they cannot process encrypted HTTPS traffic in the normal way. CONNECT provides an escape hatch — it tells the proxy to stop being an HTTP intermediary and start being a TCP relay.

How CONNECT Works Step by Step

**Step 1 — CONNECT Request**

The client sends a standard HTTP request, but instead of a resource path, it specifies a hostname and port:

CONNECT api.example.com:443 HTTP/1.1
Host: api.example.com:443
Proxy-Authorization: Basic dXNlcjpwYXNz

This is the only point where HTTP semantics are used. The proxy reads this request, authenticates the client, and decides whether to allow the tunnel.

**Step 2 — Proxy Establishes Connection**

The proxy opens a TCP connection to the target host on the specified port. If the connection succeeds, the proxy responds:

HTTP/1.1 200 Connection Established

If it fails, the proxy returns an appropriate error: - `403 Forbidden` — policy does not allow this tunnel - `502 Bad Gateway` — could not connect to the target - `504 Gateway Timeout` — target did not respond

**Step 3 — Transparent Relay**

After the 200 response, the proxy becomes invisible. It forwards every byte from the client to the server and vice versa, without parsing, modifying, or inspecting the data. The client and server communicate as if directly connected.

Beyond HTTPS: Advanced Tunneling

While HTTPS is the primary use case for CONNECT, the method is protocol-agnostic. Any TCP protocol can be tunneled:

**WebSocket over HTTP Proxy**: WebSocket upgrade requests can be tunneled through CONNECT. The client establishes a CONNECT tunnel to the WebSocket server, then performs the WebSocket handshake inside the tunnel.

**SSH over HTTP Proxy**: In restrictive network environments that only allow HTTP proxy traffic, SSH connections can be tunneled using CONNECT to port 22. Tools like `corkscrew` and ProxyCommand automate this.

**Database Connections**: MySQL, PostgreSQL, and other database connections can traverse HTTP proxies using CONNECT tunnels, enabling database access from networks restricted to HTTP proxy egress.

Security Model

CONNECT's security model has important nuances:

  1. **Pre-tunnel phase**: The CONNECT request itself, including proxy authentication credentials, travels unencrypted between client and proxy. This is the window where credentials could be intercepted on the client-to-proxy link.

2. **Tunnel phase**: Once established, the proxy cannot read tunnel contents. If TLS is negotiated inside the tunnel, the encryption is end-to-end between client and target server. The proxy is cryptographically excluded.

3. **Metadata visibility**: The proxy always sees the target hostname and port from the CONNECT request. It also sees traffic volume and timing patterns, but not content.

Port Restrictions

Many proxies restrict which ports CONNECT can target. The most common policy allows only port 443 (HTTPS). This prevents tunneling to arbitrary services but limits the flexibility of CONNECT. Hex Proxies supports CONNECT to any port, giving you full flexibility to tunnel any TCP protocol through our infrastructure.

Connection Lifecycle

A CONNECT tunnel persists until either the client or server closes the TCP connection, or the proxy detects an idle timeout. For long-lived connections (WebSocket, SSH sessions), ensure your proxy supports appropriate timeout configurations. Hex Proxies supports configurable keep-alive intervals for CONNECT tunnels.

Using CONNECT with Hex Proxies

When you configure an HTTP proxy with Hex Proxies and access an HTTPS URL, the CONNECT tunnel is established automatically by your HTTP client library. No special configuration is needed — the client detects the HTTPS scheme and switches to CONNECT mode.

For tunneling non-HTTPS protocols, you may need to explicitly establish a CONNECT tunnel using your client library's lower-level API or a dedicated tunneling tool. Hex Proxies supports CONNECT tunnels to any destination port with the same authentication and IP rotation features available for standard HTTP proxying.

Practical Considerations

CONNECT tunnels are stateless from the proxy's perspective — each tunnel is an independent TCP connection. If you need to route thousands of concurrent tunnels, Hex Proxies' infrastructure handles connection pooling and resource management automatically. There is no per-tunnel surcharge or special billing for CONNECT tunnels.

Ready to Get Started?

Use HTTP CONNECT Tunnel with Hex Proxies for reliable, fast connections.

Create AccountView Pricing

Related Resources

Residential Proxies

High-quality residential proxies with rotating IPs from 100+ countries. Perfect for web scraping, data collection, and market research.

ISP Proxies

Ultra-fast ISP proxies with static IPs and unlimited bandwidth. Optimized for sneaker sites, social media, and high-speed tasks.

Rotating Proxies

Automatic IP rotation with every request or on a timed interval. Built for large-scale scraping and data collection.

Static Proxies

Dedicated static IPs that remain yours. ISP-grade trust with datacenter speed for account management and consistent identity.

Cookie Preferences

We use cookies to ensure the best experience. You can customize your preferences below. Learn more