是否有可能与代理和用户之间的SSL加密转发代理？ [英] Is it possible to have a forward proxy with ssl encryption between the proxy and the user?

问题描述

首先我要澄清，我不是在谈论访问内容是能够提供使用可以使用模块mod_proxy_connect进行HTTPS原始服务器上。

First of all I want to make clear that i am not talking about accessing content which is on origin servers that deliver using https which can be done using the module mod_proxy_connect.

我要的是客户与代理之间的安全连接，也当被请求实际上是由一个不安全的标准HTTP服务器提供服务。原产地

What I want is a secured connection between the client and the proxy, also when the origin that is requested actually is served by an unsecured standard http server.

我使用的Apache 2.2和也想使这可能与Apache其是否正常工作。

I am using apache 2.2 and also would like to make this possible with apache if that works.

我嗤之以鼻使用Wireshark的一些要求，并注意以下几点：

I sniffed some requests using wireshark and noted the following:

的网址 http://example.com/file looksl IKE通常HTTP这样的：

A usual http of the url http://example.com/file looksl ike this:

到源服务器的连接：

GET /file HTTP 1.1
Host: example.com

请注意该主机信息是从实际的请求剥离和主机头改为提供（其可以在名为虚拟主机进行处理服务器端）。

Note that the host information is stripped from the actual request and the host header is supplied instead (which can be handled server side in named virtual hosts).

当请求通过代理服务器，它看起来稍有不同：

When the request goes through a proxy server it looks slightly different:

到代理服务器的连接：

GET http://example.com/file HTTP 1.1
Host: example.com

请注意，该请求行现在实际上包含了完整的URL包括协议和主机名。
主机头可能是多余的，如果公交车我读了RFC正确它是由需要HTTP 1.1。

Note that the request line now actually contains the full url including protocol and hostname. The host header is probably redundant, bus if I read the RFC correctly it is required by HTTP 1.1.

所以我认为有关设置Apache网络服务器侦听端口443，启用了SSL的发动机和证书了一个虚拟主机，不绑定任何主机名。

So I think about setting up an apache webserver listening on port 443, enable a virtualhost with ssl engine and certificates up and do not bind it to any hostname.

我觉得应该获得Apache说话SSL，但却证书公用名称不匹配的连接线到proxys服务器IP地址specfie​​d主机。

I think that should get apache to talk ssl, but however the certificates common name will not match the host specfied in the connect line to the proxys server ip adress.

是我想向甚至有可能与目前的标准，如果是这样我该怎么办呢？

Is what I want to to even possible with current standards and if so how can I do it?

推荐答案

是的，当然，这就是HTTPS代理的。

Yes of course, that's what HTTPS proxy is.

客户端通过SSL连接到代理服务器，在文本发送给代理的命令。

Client connects to proxy over SSL, sends commands to proxy in text.

也可以使用HTTP连接到建立内部SSL连接到HTTPS代理HTTPS连接，尽管不是所有的客户端都支持这一点：

It is also possible to use HTTP CONNECT to establish HTTPS connection "inside" the SSL connection to HTTPS proxy, though not all clients support this:

HTTPS connection over HTTPS proxy
client           proxy           server
ssl    \-------/   ssl
connect---------200 OK
ssl  \---------------------------/ ssl
data-------------------------------data
     /---------------------------\
       /-------\



HTTP connection over HTTPS proxy
client           proxy           server
ssl    \-------/   ssl
GET http://server/ ->
                       GET / 
                       Host: server ->
                       <---------OK, data
<--------------OK, data
       /-------\

这篇关于是否有可能与代理和用户之间的SSL加密转发代理？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！