Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
Opps! I spoke too fast. It's working now for HTTP, but not HTTPS.

There are basically two ways to implement a proxy for HTTPS. Either make the HTTP proxy understand and accept the CONNECT verb, or have the proxy effectively do a man-in-the-middle attack, i.e. pretent to be the proxied server, including generating a fake SSL certificate.

For CONNECT, see HTTP tunnel. As soon as the proxy has received a CONNECT line, it checks permissions, then establishes a TCP connection to the destination and forwards data in both directions, without any further inspection of the data, without caching, without anything a proxy typically does, except for not exposing the client's IP address to the server. Typically, CONNECT is restricted to connect to the default HTTPS port 443, because otherwise, it would allow bypassing the proxy for all protocols including HTTP.

For the MITM way, you need to roll out a new SSL root certificate to all clients, which is then used to create fake SSL certificates for all intercepted SSL transfers. Furthermore, the proxy has to check the SSL certificates presented by the real server, because the client won't ever see the real server's SSL certificate. This setup is not trivial, it may cause a lot of security issues, and clients implementing certificate pinning won't work.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

In reply to Re^4: Need help with HTTP::Proxy by afoken
in thread Need help with HTTP::Proxy by scorpio17

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (3)
As of 2024-04-26 02:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found