Our environment requires that all requests to the public internet go through a proxy that uses HTTP tunneling (HTTP Connect). I have a service from a vendor that is not able to use an HTTP Connect proxy.
My plan is to set up a transparent proxy that the service can send traffic to, which will redirect traffic to the HTTP Connect proxy.
service -> transparent proxy -> http connect proxy -> public internet
Is it possible to redirect this traffic without decrypting and re-encrypting the HTTPS request? I won't be able to install any custom certs on the initial service to allow this (and I don't want to view the contents of the HTTP messages anyway). Also, are there any proxies that are made specifically to do this, or will I need to write my own?
Related
I'm using mitmproxy to intercept traffic, HTTP Traffic is being intercepted but HTTPS traffic is not being intercepted for some reason (?)
Using the default config with the command
mitmweb
Web server listening at http://127.0.0.1:8081/
Proxy server listening at http://*:8080
My proxy config:
Do I have to set a new config? Any help?
If you want to intercept HTTPS traffic, you have to install certificate generated by MITM through http://mitm.it after you set your proxy.
After you visit http://mitm.it , download your certificate according to your Operating System. Then restart mitmproxy to check HTTPS traffic.
However, there are some traffic which is protected using Certificate Pinning , so mitmproxy cannot intercept. For example, the Twitter app, or Instagram App.
reference
https://docs.mitmproxy.org/stable/concepts-certificates/
https://docs.mitmproxy.org/stable/howto-ignoredomains/
I need to put a web proxy in place to log user activity at work after a recent incident. My first thought was Squid proxy but after some research it seems that https requests are a total nightmare. These days more sites are https than http so I need to log both. Can anyone recommend a proxy server or otherwise to pass all http and https requests through to log?
Thanks
Squid can very well handle HTTP as well ass HTTPS traffic. How you should configure squid depends how you want the configure clients (I mean browser).
In general Squid proxy server can be configured to listen for both HTTP and HTTPS traffic on specific port (by default 3128) for squid and clients can be configured manually or using DHCP Option 252 + WPAD (Web Proxy Auto-Discovery Protocol).
Alternately Squid can be configured in transparent mode intercepting the traffic on your network, in this case Squid will listen on different ports for HTTP and HTTPS traffic.
Shahnawaz
Is there any different between HTTP tunnel and HTTP proxy?
In some software I see two fields for proxy either HTTP and HTTP tunnel.
I see the traffic of some http proxy but I cant understand the different between http proxy and http tunnel.
The terms are often intermixed, tunnel providers are called proxies.
Originally, tunneling is the technique of using one protocol to transport data inside another protocol.
A proxy (as in proxy representative)
A proxy acts as an intermediary. It will hide your IP address from the destination (unless it adds it in a HTTP header field such as "Forward"). A proxy uses the same protocol throughout, it can alter the network flow, do caching or security scanning etc. So it's more of an extra hop on the way to the destination.
For example you can use a SOCKS proxy as a HTTP tunnel, i.e. you transport HTTP over it. This is due to the fact that SOCKS is a protocol that is designed to tunnel IP packets.
To add to the confusion, you can use a HTTP proxy to transport some other protocols such as FTP.
A good example for a tunnel is a VPN. Tunnels are often used to evade censorship or firewall rules blocking traffic.
If UDP is blocked, i need to enable HTTP(s) fallback with aspera connect plugin thru HAProxy. Has anyone successfully done this ? I have read all the documentation but there is nothing that describes the HAProxy use case
I assume you talk about a client side forward proxy.
If you use the IBM Aspera Connect Client, it comes with HTTP (forward) proxy configuration.
http://download.asperasoft.com/download/docs/connect/3.9.6/user_osx/webhelp/index.html#dita/network_environment.html
This will work when the client falls back to HTTP.
Note that the client will fallback to HTTP only if this feature is enabled on the server side.
You can see that by examining the parameters provided to the client by the browser (put in dev mode). In that case, it has http parameters (port).
Typically, parameter: https_fallback_port
If not, then there is no possible http fallback, and it will not use the (forward) proxy.
If you are talking about reverse proxy in front of a server configured with fallback, this is part of the (public) documentation of the IBM Aspera Proxy.
There are several different approaches to security for web proxying:
No security. Client connects to proxy with HTTP, makes GET request (proxy probably uses HTTP to reach destination).
HTTPS connection to proxy, then GET request. Encryption only between proxy and client.
HTTP to proxy, CONNECT tunnel to destination (host named in clear-text), letting client HTTPS to destination. Security-wise, seems equivalent to direct HTTPS.
HTTPS to proxy, CONNECT tunnel to destination, then HTTPS to destination. (E.g., so that not even the destination host name metadata can be eavesdropped on an untrusted local network like public wifi.)
My question is about the final case. Is there any standard or RFC that describes it?
Does/must the content get double-encrypted or not? That is, on the client side, should the proxy simply forward the raw data stream (without manipulation) after the CONNECT is established, or should it still continue applying its (now-redundant) secure wrapper?