本地HTTPS代理可能吗? [英] Local HTTPS proxy possible?
问题描述
TL; DR
我想设置一个本地HTTPS代理,可以( LOCALLY )修改我的HTML页面内容机。这可能吗?
动机
我使用了名为 GlimmerBlocker 多年。它始于2008年,作为一种基于代理的方法来阻止广告(与浏览器扩展或其他特定于OS X的黑客一样,如InputManagers)。但除了阻止广告外,它还允许用户将自己的CSS或JavaScript注入页面。开发已经严重放缓,但它仍然非常有用。
唯一的问题是它没有做HTTPS(从其常见问题解答):
广告https页面未被阻止
当Safari使用代理获取https页面时,它并不真正使用http协议,而是使用隧道tcp连接所以Safari接收加密的字节。优点是任何中间代理都不能修改或读取页面内容,也不能修改URL。缺点是,GlimmerBlocker无法修改内容。即使GlimmerBlocker试图以中间人的身份工作并对内容进行解码/编码,它也无法告诉Safari信任它,也无法告诉Safari网站证书是否有效,因此Safari会认为您访问过一个可疑的网站。
幸运的是,大多数广告提供商都不会切换到https,因为使用https的服务页面速度要慢得多,并且会对广告提供商服务器产生巨大的处理开销。
早在2008年,也许最后一部分是真的......但不再是。
要明确的是,我认为越来越多地使用SSL是一件好事。我只是希望在它到达我的结束后取回对内容的控制。
混淆点
在寻找解决方案时,我对一些明显矛盾的观点感到困惑。
(另外,虽然我对网页语言很有经验,但我总是很难在网络和协议上工作。在那个问题上,对不起,如果我错过了一些明显的东西!)
-
我发现此StackOverflow问题询问是否可以使用HTTPS代理。最好的答案是TLS / SSL(HTTPS中的S)保证您和您正在联系的服务器之间没有窃听者,即没有代理。(相同的答案然后描述了黑客攻击它,但我不理解说明。无论如何,这是非常理论化的。)
-
在OS X中网络首选项▶︎高级...▶︎代理,显然有一个HTTPS代理设置。这似乎与之前的声明相矛盾,即TLS / SSL对窃听的保证意味着代理人无法做到。
其他的事情注意
-
我不记得在哪里,但我读到可以设置一个HTTPS代理,但是它使HTTPS毫无意义(通过破坏过程中的安全通信)。 我不想要这个!加密很好。我不想过滤其他人的流量;我只是想要在之后自定义内容我已收到它。
-
GlimmerBlocker有一个很好的GUI界面,但我对非GUI解决方案也很好。我可能对网络和协议了解不多,但我对命令行非常熟悉,在文本编辑器中调整设置等等。
我问的是可能的吗?或者我的问题是要么你获得安全性,要么你可以用黑客破解它并定制你的内容 - 但不能同时 -
HTTP代理的常见想法是接受包含目标主机名和端口的CONNECT请求的服务器,然后只构建到目标服务器的隧道。所有https都在隧道内完成,因此代理无法修改它(从浏览器到Web服务器的端到端安全性)。
To修改你需要拥有一个扮演中间人的代理所需的数据。在这种情况下,您在代理和Web服务器之间建立了https连接,在浏览器和代理之间建立了另一个https连接。在代理和Web服务器之间使用原始服务器证书,而在浏览器和代理之间使用新创建的证书,该证书由特定于代理的CA签名。当然,这个CA必须作为受信任导入到浏览器中,否则它会一直抱怨可能的攻击。</ p>
当然 - 原始服务器证书的所有验证必须在代理中完成,并非所有解决方案都以正确的方式执行此操作。另请参见 http://www.secureworks.com/cyber-threat-情报/威胁/传递信任/
有几种代理解决方案可以执行此SSL拦截,如squid,mitmproxy(python)或App :: HTTP_Proxy_IMP(perl)。最后两个是专门设计的,允许您使用自己的代码修改内容,因此这些可能是开始的好地方。
TL;DR
I want to set up a local HTTPS proxy that can (LOCALLY) modify the content of HTML pages on my machine. Is this possible?
Motivation
I have used an HTTP Proxy called GlimmerBlocker for years. It started in 2008 as a proxy-based approach to blocking ads (as opposed to browser extensions or other OS X-specific hacks like InputManagers). But besides blocking ads, it also allows the user to inject their own CSS or JavaScript into the page. Development has seriously slowed, but it remains incredibly useful.
The only problem is that it doesn’t do HTTPS (from its FAQ):
Ads on https pages are not blocked
When Safari fetches an https page using a proxy, it doesn't really use the http protocol, but makes a tunneled tcp connection so Safari receives the encrypted bytes. The advantage is that any intermediate proxies can't modify or read the contents of the page, nor the URL. The disadvantage is, that GlimmerBlocker can't modify the content. Even if GlimmerBlocker tried to work as a middleman and decoded/encoded the content, it would have no means of telling Safari to trust it, nor to tell Safari if the websites certificate is valid, so Safari would think you have visited a dubious website.
Fortunately, most ad-providers are not going to switch to https as serving pages using https are much slower and would have a huge processing overhead on the ad-providers servers.
Back in 2008, maybe that last part was true…but not any more.
To be clear, I think the increasing use of SSL is a good thing. I just want to get back the control I had over the content after it arrives on my end.
Points of Confusion
While searching for a solution, I’ve become confused by some apparently contradictory points.
(Also, although I’m quite experienced with the languages of web pages, I’ve always had a difficult time grokking networks and protocols. On that note, sorry if I’m missing something that is way obvious!)
I found this StackOverflow question asking whether HTTPS proxies were possible. The best answer says that "TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies." (The same answer then described a hack to pull it off, but I don’t understand the instructions. It was very theoretical, anyway.)
In OS X under Network Preferences ▶︎ Advanced… ▶︎ Proxies, there is clearly a setting for an HTTPS proxy. This seems to contradict the previous statement that TLS/SSL’s guarantee against eavesdropping implies the impossibility of proxies.
Other things of note
I can’t remember where, but I read that it is possible to set up an HTTPS proxy, but that it makes HTTPS pointless (by breaking the secure communication in the process). I don’t want this! Encryption is good. I don’t want to filter anyone else’s traffic; I just want something to customize the content after I’ve already received it.
GlimmerBlocker has a nice GUI interface, but I’m fine with non-GUI solutions, too. I may have a poor understanding of networking and protocols, but I’m perfectly comfortable on the command line, tweaking settings in text editors, and so on.
Is what I’m asking possible? Or is my question a case of "either you get security, or you can break it with hacks and get to customize your content—but not both"?
The common idea of a HTTP proxy is a server which accepts a CONNECT request which includes the target hostname and port and then just builds a tunnel to the target server. All the https is done inside the tunnel, so there is no way for the proxy to modify it (end-to-end security from browser to web server).
To modify the data you need to have a proxy which plays man-in-the-middle. In this case you have a https connection between the proxy and the web server and another https connection between the browser and the proxy. Between proxy and web server the original server certificate is used, while between browser and proxy a newly created certificate is used, which is signed by a CA specific to the proxy. Of course this CA must be imported as trusted into he browser, otherwise it would complain all the time about possible attacks.
Of course - all the verification of the original server certificate has to be done in the proxy now, and not all solutions do this the correct way. See also http://www.secureworks.com/cyber-threat-intelligence/threats/transitive-trust/
There are several proxy solution which might do this SSL interception, like squid, mitmproxy (python) or App::HTTP_Proxy_IMP (perl). The last two are specifically designed to let you modify the content with your own code, so these might be good places to start.
这篇关于本地HTTPS代理可能吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
