通过代理服务器的 HTTPS 连接 [英] HTTPS connections over proxy servers

问题描述

是否可以通过代理服务器建立 HTTPS 连接?如果是，什么样的代理服务器允许这样做?

Is it possible to have HTTPS connections over proxy servers? If yes, what kind of proxy server allows this?

重复如何使用Socks 5使用 Apache HTTP 客户端 4 代理?

推荐答案

TLS/SSL(HTTPS 中的 S)保证您和您正在联系的服务器之间没有窃听者，即没有代理.通常，您使用 CONNECT 打开通过代理建立 TCP 连接.在这种情况下，代理将无法缓存、读取或修改任何请求/响应，因此毫无用处.

TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Normally, you use CONNECT to open up a TCP connection through the proxy. In this case, the proxy will not be able to cache, read, or modify any requests/responses, and therefore be rather useless.

如果希望代理能够读取信息，可以采取以下方式:

If you want the proxy to be able to read information, you can take the following approach:

1. 客户端启动 HTTPS 会话
2. 代理透明地拦截连接并返回一个临时生成的(可能弱) 证书 Ka,由证书颁发机构签署这是无条件信任的客户.
3. 代理启动 HTTPS 会话到目标
4. 代理验证 SSL 的完整性证书;显示错误，如果证书无效.
5. 代理流式传输内容，对其进行解密并重新加密它Ka
6. 客户端显示内容

1. Client starts HTTPS session
2. Proxy transparently intercepts the connection and returns an ad-hoc generated(possibly weak) certificate K_a, signed by a certificate authority that is unconditionally trusted by the client.
3. Proxy starts HTTPS session to target
4. Proxy verifies integrity of SSL certificate; displays error if the cert is not valid.
5. Proxy streams content, decrypts it and re-encrypts it with K_a
6. Client displays stuff

一个例子是 Squid 的 SSL 碰撞.类似地，可以配置 burp 来执行此操作.这也是 埃及 ISP 在不太友好的环境中使用.

An example is Squid's SSL bump. Similarly, burp can be configured to do this. This has also been used in a less-benign context by an Egyptian ISP.

请注意，现代网站和浏览器可以使用 HPKP 或 内置证书 pin 可以阻止这种方法.

Note that modern websites and browsers can employ HPKP or built-in certificate pins which defeat this approach.

这篇关于通过代理服务器的 HTTPS 连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！