代理服务器上的HTTPS连接 [英] HTTPS connections over proxy servers

问题描述

是否可以通过代理服务器建立HTTPS连接？如果是，哪种代理服务器允许这样做？

Is it possible to have HTTPS connections over proxy servers? If yes, what kind of proxy server allows this?

与如何在Apache HTTP Client 4中使用Socks 5代理？

推荐答案

TLS / SSL（HTTPS中的S）保证您和您正在联系的服务器之间没有窃听者，即没有代理。通常，您使用 CONNECT 通过代理打开TCP连接。在这种情况下，代理将无法缓存，读取或修改连接，因此无用。

TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Normally, you use CONNECT to open up a TCP connection through the proxy. In this case, the proxy will not be able to cache, read, or modify the connection, and therefore useless.

如果您希望代理能够读取信息，您可以采取以下方法：

If you want the proxy to be able to read information, you can take the following approach:

1. 客户端启动HTTPS会话


2. 代理透明地拦截连接和
   返回一个ad-hoc生成的（可能是
   弱）证书K _a ，
   由证书颁发机构
   签署，无条件信任
   客户端。


3. 代理启动HTTPS会话到目标


4. 代理验证SSL
   证书的完整性;如果
   证书无效，则显示错误。


5. 代理流内容，解密
   并使用
   K _{a <重新加密/ sub>}


6. 客户端显示内容

1. Client starts HTTPS session
2. Proxy transparently intercepts the connection and returns an ad-hoc generated(possibly weak) certificate K_a, signed by a certificate authority that is unconditionally trusted by the client.
3. Proxy starts HTTPS session to target
4. Proxy verifies integrity of SSL certificate; displays error if the cert is not valid.
5. Proxy streams content, decrypts it and re-encrypts it with K_a
6. Client displays stuff

一个例子是Squid的 SSL bump 。同样，可以配置打嗝 来执行此操作。这也是在埃及互联网上用于不太友好的环境。

An example is Squid's SSL bump. Similarly, burp can be configured to do this. This has also been used in a less-benign context by an Egyptian ISP.

请注意，现代网站和浏览器可以使用 HPKP 或内置证书引脚，这种方法失败了。

Note that modern websites and browsers can employ HPKP or built-in certificate pins which defeat this approach.

这篇关于代理服务器上的HTTPS连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！