The invention discloses an http tunnel active detection method. The http tunnel active detection method includes the following steps: S1, continuously monitoring an http data packet which is connected to the network through a port until the http data packet can be monitored, and then entering the step S2; S2, performing static detection on the monitored http data packet, determining whether the http data packet accords with the http protocol standard, if so, entering the step S3, and if not, entering the step S6; S3, comparing the uplink flow of the connection and the downlink flow of the connection to determine whether the difference of the flows is greater than the threshold, if so, entering the step S4, and if not, entering the step S5; S4, actively initiating detection of the target server of the data packet of the connection to determine whether the target server matches the fingerprint characteristic of the http server, if so, entering the step S5, and if not, entering the step S6; S5, releasing the data packet of the connection; and S6, intercepting the data packet of the connection, performing early warning, and carrying out log recording.