HTTPS 代理服务器仅适用于 SwitchOmega [英] HTTPs proxy server only works in SwitchOmega
问题描述
在问这个问题之前,我做了很多搜索和实践试验.
长话:
我找到了一个关于如何使用 Node.js 编写 http 代理的(非英语)教程.
到目前为止,我所知道和尝试过的:
- HTTP 代理可以处理 HTTP 请求和 HTTPS 请求,但方式不同.它通过读取客户端的请求来处理 HTTP 请求,并向目标发出新请求并将响应返回给客户端.至于 HTTPS 请求,则是通过 HTTP 隧道处理.
- Firefox 代理设置中的
SSL proxy字段和 IE 代理设置 (Windows) 中的Secure字段都是关于设置 HTTP 隧道的.如果设置了SSL proxy或Secure proxy,当浏览器想要连接到 https 站点时,它会发送CONNECT请求而不是普通请求.
问题:
CONNECT 请求是纯文本的,所以防火墙可以看到我想要连接的主机并切断连接.所以我从一开始就在考虑是否可以使用https与代理服务器对话.我阅读了所有相关帖子,但找不到直接谈论这个的答案.有些答案还说没有 https 代理服务器这样的东西".
但是教程说这是可以做到的(客户端和代理服务器之间的HTTPS,没有其他变化).所以我试了一下.我用我网站的证书把服务器改成了https.但最终它只适用于 Chrome 中的 Proxy SwitchOmega.它不适用于传统设置,例如 Firefox 代理或 IE 代理设置.
代理 SwitchOmega 设置:
方案|协议|服务器|端口.... |https |.... |...如果我启动 https 服务器,我必须在这里选择 https 协议.同样,如果我启动 http 服务器,我必须选择 http 协议.另外我不知道这个 protocol 字段代表什么.
总结一下:
代理服务器 |Firefox 代理设置|有效吗?|SwitchOmega 设置|工作?|http |http + ssl 设置 |是 |协议 http |是 |https |http + ssl 设置 |没有|协议 https |是 |https |- |- |协议 http |无 |所以我的问题是:
- 我可以通过普通方式(不带扩展)连接到https代理服务器吗?如果可能,怎么做?
- 为什么我可以通过 SwitchOmega 连接到 https 代理服务器?
- 我想我构建了一个 https 代理服务器.但为什么其他人会说没有 https 代理服务器这样的东西?
源代码
https 服务器
var http = require('http');var https = require('https');var fs = require('fs');var net = require('net');var url = require('url');console.log(qqqqq2");功能请求(cReq,cRes){控制台日志(请求====开始");控制台日志(cReq.headers);控制台日志(cReq.url);控制台.log(cReq.method);控制台日志(请求=====结束");var u = url.parse(cReq.url);变量选项 = {主机名:u.hostname,端口:u.port ||80,路径:u.path,方法:cReq.method,标头:cReq.headers};var pReq = http.request(options, function(pRes) {cRes.writeHead(pRes.statusCode, pRes.headers);pRes.pipe(cRes);}).on('错误', 函数(e) {cRes.end();});cReq.pipe(pReq);//console.log(cReq.headers);//console.log(cReq.method);//console.log(cReq.url);//console.log("^_^^_^^_^^_^^_^^_^");//cRes.writeHead('200');//cRes.end('hello world2222
');}功能连接(cReq,cSock){console.log("connect====start");控制台日志(cReq.headers);控制台日志(cReq.url);控制台.log(cReq.method);console.log("connect====end");var u = url.parse('http://' + cReq.url);var pSock = net.connect(u.port, u.hostname, function() {cSock.write('HTTP/1.1 200 连接建立
');pSock.pipe(cSock);}).on('错误', 函数(e) {cSock.end();});cSock.pipe(pSock);}变量选项 = {密钥:fs.readFileSync('./privkey1.pem'),证书:fs.readFileSync('./fullchain1.pem')};https.createServer(选项).on('请求', 请求).on('连接', 连接).listen(9999, '0.0.0.0');http 服务器
var http = require('http');var net = require('net');var url = require('url');console.log('qqqqq2');功能请求(cReq,cRes){控制台日志(请求====开始");控制台日志(cReq.headers);控制台日志(cReq.url);控制台.log(cReq.method);控制台日志(请求=====结束");var u = url.parse(cReq.url);变量选项 = {主机名:u.hostname,端口:u.port ||80,路径:u.path,方法:cReq.method,标头:cReq.headers};var pReq = http.request(options, function(pRes) {cRes.writeHead(pRes.statusCode, pRes.headers);pRes.pipe(cRes);}).on('错误', 函数(e) {cRes.end();});cReq.pipe(pReq);}功能连接(cReq,cSock){console.log("connect====start");控制台日志(cReq.headers);控制台日志(cReq.url);控制台.log(cReq.method);console.log("connect====end");var u = url.parse('http://' + cReq.url);var pSock = net.connect(u.port, u.hostname, function() {cSock.write('HTTP/1.1 200 连接建立
');pSock.pipe(cSock);}).on('错误', 函数(e) {cSock.end();});cSock.pipe(pSock);}http.createServer().on('请求', 请求).on('连接', 连接).listen(9999, '0.0.0.0');测试服务器
您可以轻松构建一个 http 代理服务器并对其进行测试.但是搭建https代理服务器可能比较麻烦,因为需要部署证书.所以基于上面的代码提供了一个https代理测试服务器.
自从我找到答案后,测试服务器已被删除.
我在 Security StackExchange 中找到了答案.是否可以通过 ssl(或其他加密)连接连接到代理?
来自 https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection :
<块引用>加密浏览器-Squid 连接
虽然 HTTPS 设计工作的重点是端到端通信,但能够加密浏览器到代理的连接也很好(无需创建阻止 Squid 的 CONNECT 隧道访问和缓存内容).例如,这将允许安全使用位于可能存在敌对网络的远程代理.
Squid 可以使用 https_port 接受常规代理流量,就像 Squid 使用 http_port 指令一样.不幸的是,流行的现代浏览器不允许配置 TLS/SSL 加密代理连接.现在有针对大多数浏览器的公开错误报告,等待支持出现.如果您有任何兴趣,请协助浏览器团队实现这一目标.
...
铬
如果配置为在 PAC 文件或命令行开关中使用代理,Chrome 浏览器能够通过 SSL 连接来连接到代理.GUI 配置似乎(还)不可能.
火狐
如果配置为在 PAC 文件中使用代理,Firefox 33.0 浏览器能够通过 TLS 连接连接到代理.GUI 配置似乎不可能(还),尽管有一个用于嵌入 PAC 逻辑的配置技巧.
关于 Chrome 的更多信息可以在 http://dev.chromium.org/developers/design-documents/secure-web-proxy.
<小时>回答问题:
<块引用>- 我可以通过普通方式(不带扩展)连接到https代理服务器吗?如果可能,怎么做?
设置http代理服务器的传统方式(例如Firefox中的Manual proxy configuration字段)仅适用于HTTP代理服务器.只能通过 pac 文件(例如 Firefox 中的 Automatic proxy configuration URL 字段)设置 https 代理.
- 为什么我可以通过 SwitchOmega 连接到 https 代理服务器?
SwitchOmega 扩展实际上会生成一个 pac 文件供 Chrome 使用,尽管我目前还不知道它是如何与 Chrome 交互的.
通过单击 SwitchOmega 中的 Export PAC 按钮,我得到一个文件,其中包含:
var FindProxyForURL = function(init, profiles) {返回函数(网址,主机){严格使用";var 结果 = init,scheme = url.substr(0, url.indexOf(":"));做 {结果 = 个人资料 [结果];if (typeof result === "function") result = result(url, host, scheme);} while (typeof result !== "string" || result.charCodeAt(0) === 43);返回结果;};}("+测试", {+测试":功能(网址,主机,方案){严格使用";if (/^127.0.0.1$/.test(host) ||/^::1$/.test(host) ||/^localhost$/.test(host)) return "直接的";返回HTTPS myHttpsProxyServer.com:9999";//这一行很重要}});HTTP 主机:端口应该使用指定的代理HTTPS 主机:端口应使用指定的 HTTPS 代理<块引用>
- 我想我构建了一个 https 代理服务器.但为什么其他人会说没有 https 代理服务器这样的东西?
是的,我通过 tls 连接构建了一个 https 代理服务器/一个 http 代理服务器.那些说没有 https 代理服务器这样的东西"的人是错误的.
I did quite a lot search and pratical trials before asking this question.
Long story:
I found a (non-English)tutorial about how to write a http proxy with Node.js.
So far what I've known and tried:
- A HTTP proxy can handle both HTTP request and HTTPS request, but in different ways. It handles HTTP request by reading the client's request and make a new request to the target and return the response to the client. As for HTTPS request, it's dealt with a HTTP Tunnel.
- The
SSL proxyfield in Firefox proxy settings and theSecurefield in IE proxy settings (Windows) are all about setting the HTTP Tunnel. If aSSL proxyorSecure proxyis set, when a brower wants to connect to a https site, it sends aCONNECTrequest instead of an ordinary request.
Problems:
The CONNECT request is plain text, so firewalls can see what host I want to connect to and cut the connection. So I was thinking whether I can use https to talk to the proxy server from the very beginning. I read all related posts, but couldn't find an answer directly talking about this. And some answers also say "There's no such thing as a https proxy server".
But the tutorial says this can be done (HTTPS between client and proxy server and nothing else changes). So I give it try. I changed the server into https with my website's certificate. But eventually it only works with Proxy SwitchOmega in Chrome. It doesn't work in traditional settings like in Firefox proxy or IE proxy settings.
Proxy SwitchOmega setting:
Scheme|Protocol|Server|Port
.... | https | .... |...
I have to select https protocol here, if I starts the https server. similarly, I have to select http protocol, if I starts the http server. Also I don't know what this protocol field stands for.
To sum it up:
proxy server | Firefox proxy setting |work? | SwitchOmega setting |work?|
http | http + ssl setting | yes | protocol http |yes |
https | http + ssl setting | no | protocol https |yes |
https | - | - | protocal http |no |
So my questions are:
- Can I connect to the https proxy server through the ordinary way(without an extension)? If possible, how?
- Why can I connect to the https proxy server through SwitchOmega?
- I think I build a https proxy server. But why others are saying that "There's no such thing as a https proxy server?
Source code
https server
var http = require('http');
var https = require('https');
var fs = require('fs');
var net = require('net');
var url = require('url');
console.log("qqqqq2");
function request(cReq, cRes) {
console.log("request=====start");
console.log(cReq.headers);
console.log(cReq.url);
console.log(cReq.method);
console.log("request=====end");
var u = url.parse(cReq.url);
var options = {
hostname : u.hostname,
port : u.port || 80,
path : u.path,
method : cReq.method,
headers : cReq.headers
};
var pReq = http.request(options, function(pRes) {
cRes.writeHead(pRes.statusCode, pRes.headers);
pRes.pipe(cRes);
}).on('error', function(e) {
cRes.end();
});
cReq.pipe(pReq);
// console.log(cReq.headers);
// console.log(cReq.method);
// console.log(cReq.url);
// console.log("^_^^_^^_^^_^^_^^_^");
// cRes.writeHead('200');
// cRes.end('hello world2222
');
}
function connect(cReq, cSock) {
console.log("connect=====start");
console.log(cReq.headers);
console.log(cReq.url);
console.log(cReq.method);
console.log("connect=====end");
var u = url.parse('http://' + cReq.url);
var pSock = net.connect(u.port, u.hostname, function() {
cSock.write('HTTP/1.1 200 Connection Established
');
pSock.pipe(cSock);
}).on('error', function(e) {
cSock.end();
});
cSock.pipe(pSock);
}
var options = {
key: fs.readFileSync('./privkey1.pem'),
cert: fs.readFileSync('./fullchain1.pem')
};
https.createServer(options)
.on('request', request)
.on('connect', connect)
.listen(9999, '0.0.0.0');
http server
var http = require('http');
var net = require('net');
var url = require('url');
console.log('qqqqq2');
function request(cReq, cRes) {
console.log("request=====start");
console.log(cReq.headers);
console.log(cReq.url);
console.log(cReq.method);
console.log("request=====end");
var u = url.parse(cReq.url);
var options = {
hostname : u.hostname,
port : u.port || 80,
path : u.path,
method : cReq.method,
headers : cReq.headers
};
var pReq = http.request(options, function(pRes) {
cRes.writeHead(pRes.statusCode, pRes.headers);
pRes.pipe(cRes);
}).on('error', function(e) {
cRes.end();
});
cReq.pipe(pReq);
}
function connect(cReq, cSock) {
console.log("connect=====start");
console.log(cReq.headers);
console.log(cReq.url);
console.log(cReq.method);
console.log("connect=====end");
var u = url.parse('http://' + cReq.url);
var pSock = net.connect(u.port, u.hostname, function() {
cSock.write('HTTP/1.1 200 Connection Established
');
pSock.pipe(cSock);
}).on('error', function(e) {
cSock.end();
});
cSock.pipe(pSock);
}
http.createServer()
.on('request', request)
.on('connect', connect)
.listen(9999, '0.0.0.0');
Test Server
You can easily build a http proxy server and test it. But it may be cumbersome to build a https proxy server, because you need to deploy certificates. So a https proxy test server is provided, based on the code above.
Test server is deleted since I've found the answer.
I found the answer in Security StackExchange. Is it possible to connect to a proxy with an ssl (or otherwise encrypted) connection?
From https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection :
Encrypted browser-Squid connection
While HTTPS design efforts were focused on end-to-end communication, it would also be nice to be able to encrypt the browser-to-proxy connection (without creating a CONNECT tunnel that blocks Squid from accessing and caching content). This would allow, for example, a secure use of remote proxies located across a possibly hostile network.
Squid can accept regular proxy traffic using https_port in the same way Squid does it using an http_port directive. Unfortunately, popular modern browsers do not permit configuration of TLS/SSL encrypted proxy connections. There are open bug reports against most of those browsers now, waiting for support to appear. If you have any interest, please assist browser teams with getting that to happen.
...
Chrome
The Chrome browser is able to connect to proxies over SSL connections if configured to use one in a PAC file or command line switch. GUI configuration appears not to be possible (yet).
Firefox
The Firefox 33.0 browser is able to connect to proxies over TLS connections if configured to use one in a PAC file. GUI configuration appears not to be possible (yet), though there is a config hack for embedding PAC logic.
More information related to Chrome can be found in http://dev.chromium.org/developers/design-documents/secure-web-proxy.
To answer the questions:
- Can I connect to the https proxy server through the ordinary way(without an extension)? If possible, how?
The traditional way(e.g. Manual proxy configuration field in Firefox) to set a http proxy server is for HTTP proxy server only. One can only set a https proxy via pac files (e.g. Automatic proxy configuration URL field in Firefox).
- Why can I connect to the https proxy server through SwitchOmega?
The SwitchOmega extension in fact generates a pac file for Chrome to use, though how it interacts with Chrome is so far unknown to me.
By clicking the Export PAC button in SwitchOmega, I get a file contains:
var FindProxyForURL = function(init, profiles) {
return function(url, host) {
"use strict";
var result = init, scheme = url.substr(0, url.indexOf(":"));
do {
result = profiles[result];
if (typeof result === "function") result = result(url, host, scheme);
} while (typeof result !== "string" || result.charCodeAt(0) === 43);
return result;
};
}("+test", {
"+test": function(url, host, scheme) {
"use strict";
if (/^127.0.0.1$/.test(host) || /^::1$/.test(host) || /^localhost$/.test(host)) return "DIRECT";
return "HTTPS myHttpsProxyServer.com:9999"; // This line matters
}
});
HTTP host:port
The specified proxy should be used
HTTPS host:port
The specified HTTPS proxy should be used
- I think I build a https proxy server. But why others are saying that "There's no such thing as a https proxy server?
Yes I build a https proxy server/a http proxy server over tls connection. Those who says "There's no such thing as a https proxy server" are wrong.
这篇关于HTTPS 代理服务器仅适用于 SwitchOmega的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
