proxy-mirror icon indicating copy to clipboard operation
proxy-mirror copied to clipboard
verified publisher icon miensol

Proxy HTTPS traffic without re-signing

Open Kantaris opened this issue 12 years ago • 2 comments

I'm trying to build using your code a proxy to be run on my local machine that will log all domains accessed. Kind of the same way Fiddler works, but what I need is more simple, I don't need to look at the data or decrypt anything.

I got this working fine for HTTP but for HTTPS it resigns the traffic with the self-signed certificate provided. This results in that the browser displays a warning. The same thing doesn't happen in fiddler unless you choose to decrypt HTTPS traffic.

So my question is: How do I proxy HTTPS traffic so that it is completely transparent for the web browser user?

I know it might not be possible right now, but do you think it is something that can be added in the future?

Kantaris avatar Mar 31 '14 12:03 Kantaris

I haven't thought that it would be useful to have an option to not decrypt https traffic - but now when you explained the use case it seems like a perfectly valid idea. You're right that it's not possible right now with proxy-mirror but I think it wouldn't be hard to add.

As for you question about HTTPS traffic being proxied completely transparently the answer is two fold. If you're not interested in contents of http messages just the domain where the request goes too than it should be possible to setup wait for connect event and then instead of tunnelling request to fake https server we would go to the real server. It would probably look something along these lines:

 proxyServer.addListener('connect', function (request, socketRequest, bodyhead) {
  var url = request.url; //? not sure if it will be available
  var parsed = require('url').parse(url);
  //do we have target domain in parsed?
  var srvSocket = net.connect(parsed.port, parsed.hostname, function () {
    srvSocket.write(bodyhead);
    srvSocket.pipe(socketRequest);
    socketRequest.pipe(srvSocket);
  });
});

Obviously if we wan't to inspect contents of https messages we have to use certificate with private key access to be able to decrypt traffic and this means i.e. the fake https server hoop (and even that isn't always enough because of ssl pinning).

miensol avatar Apr 01 '14 06:04 miensol

I changed the code to what you wrote above, but I get an error.

net.js:152 if (options.handle) { ^ TypeError: Cannot read property 'handle' of null at new Socket (net.js:152:14) at Object.exports.connect.exports.createConnection (net.js:93:11) at Server. (C:\Users\kantaris\Desktop\proxy-mirror-master\lib\pro xy.js:170:23) at Server.EventEmitter.emit (events.js:106:17) at Socket.socket.ondata (http.js:1986:14) at TCP.onread (net.js:527:27)

I should be able to figure out what's wrong myself but still very new to Node.js

Kantaris avatar Apr 02 '14 03:04 Kantaris