I have set the decrypt HTTPS option in the Fiddler2 and so it shows the timeline for HTTPS requests.
But not able to see timeline of HTTP connect tunnel requests. Any way to enable this.
There's not much of a "timeline" to show for a CONNECT tunnel itself. Are you looking to see the timings of the HTTPS requests inside the tunnel? If so, enable HTTPS Decryption in Fiddler's options, and select the HTTPS requests rather than the tunnel itself.
Related
Our environment requires that all requests to the public internet go through a proxy that uses HTTP tunneling (HTTP Connect). I have a service from a vendor that is not able to use an HTTP Connect proxy.
My plan is to set up a transparent proxy that the service can send traffic to, which will redirect traffic to the HTTP Connect proxy.
service -> transparent proxy -> http connect proxy -> public internet
Is it possible to redirect this traffic without decrypting and re-encrypting the HTTPS request? I won't be able to install any custom certs on the initial service to allow this (and I don't want to view the contents of the HTTP messages anyway). Also, are there any proxies that are made specifically to do this, or will I need to write my own?
I'm trying to set up a proxy server on my local mac.
http - seems to work.
But Safari is not connecting via https.
Did I miss something?
No it doesn't. You need to specify a separate https port and a ssl certificate, as documented in the squid config:
The socket address where Squid will listen for client requests made
over TLS or SSL connections. Commonly referred to as HTTPS.
This is most useful for situations where you are running squid in
accelerator mode and you want to do the TLS work at the accelerator
level.
You may specify multiple socket addresses on multiple lines, each
with their own certificate and/or options.
The tls-cert= option is mandatory on HTTPS ports.
See http_port for a list of modes and options.
http://www.squid-cache.org/Doc/config/https_port/
By design, it is quite hard to intercept https traffic:
When a browser creates a direct secure connection with an origin
server, there are no HTTP CONNECT requests. The first HTTP request
sent on such a connection is already encrypted. In most cases, Squid
is out of the loop: Squid knows nothing about that connection and
cannot block or proxy that traffic.
You also need to load the proxy settings for the browser as a PAC file, otherwise the browsers won't connect or throw a certificate warning:
Chrome The Chrome browser is able to connect to proxies over SSL
connections if configured to use one in a PAC file or command line
switch. GUI configuration appears not to be possible (yet).
More details at
http://dev.chromium.org/developers/design-documents/secure-web-proxy
Firefox The Firefox 33.0 browser is able to connect to proxies over
TLS connections if configured to use one in a PAC file. GUI
configuration appears not to be possible (yet), though there is a
config hack for embedding PAC logic.
There is still an important bug open:
Using a client certificate authentication to a proxy:
https://bugzilla.mozilla.org/show_bug.cgi?id=209312
https://wiki.squid-cache.org/Features/HTTPS
HTTP proxy with SSL and DNS support.
I must be lacking some key concepts about proxy-ing because I cannot grasp this. I am looking to run a simply http or https proxy without interfering with SSL. Simply, a fully transparent proxy that can passthrough all the traffic to the browser connected via HTTP or HTTPS proxy without modifying or intercepting any packets. Not able to find any code online or I'm not using the right keywords.
EX. On the browser adding server.someVPN.com:80 on the HTTP proxy field and as soon as you try to visit a website, it prompts for authentication. Then it works perfectly with any domain, any security, any ssl, no further steps needed. Most VPN providers have this.
How's this possible? it even resolves DNS itself. I thought on transparent proxy the dns relies on the client. Preferably looking for a nodeJS solution but any lang works.
Please don't propose any solutions such as SOCKS5 or sock forwarding or DNS overriding or CA based MITM. According to HTTP 1.1 which supports 'CONNECT' this should be easy.
Not looking to proxy specific domains, looking for an all inclusive solution just like most VPN Providers providers.
----Found the answer too quickly, feel free to delete this post/question admins.
The way it works is that the browser knows it is talking to a proxy server, so for example if the browser want to connect to htttp://www.example.com it sends a CONNECT www.example.com:443 HTTP/1.1 to the proxy server, the proxy server resolves wwww.example.com via DNS and then opens a TCP connection to wwww.example.com port 443 and proxies the TCP stream transparently to the client.
I don't know any solution for nodejs. Common proxy servers include Squid, Privoxy and Apache Traffic Server
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT
Found the solution right after I asked...
This module works perfectly https://github.com/mpangrazzi/harrier
Does exactly what I was asking for.
If UDP is blocked, i need to enable HTTP(s) fallback with aspera connect plugin thru HAProxy. Has anyone successfully done this ? I have read all the documentation but there is nothing that describes the HAProxy use case
I assume you talk about a client side forward proxy.
If you use the IBM Aspera Connect Client, it comes with HTTP (forward) proxy configuration.
http://download.asperasoft.com/download/docs/connect/3.9.6/user_osx/webhelp/index.html#dita/network_environment.html
This will work when the client falls back to HTTP.
Note that the client will fallback to HTTP only if this feature is enabled on the server side.
You can see that by examining the parameters provided to the client by the browser (put in dev mode). In that case, it has http parameters (port).
Typically, parameter: https_fallback_port
If not, then there is no possible http fallback, and it will not use the (forward) proxy.
If you are talking about reverse proxy in front of a server configured with fallback, this is part of the (public) documentation of the IBM Aspera Proxy.
To access some websites that I need to test I need to plugin some specific proxies on firefox. However when I set my proxy through firefox or any browser, fiddler doesnt capture anymore request, due that it also uses its own proxy to get the requests. Is there any way I could capture traffic using fiddler while at the same time Im using an external proxy using any browser?
Fiddler allows you to chain to an upstream proxy, so traffic first goes to Fiddler, then goes from Fiddler to another proxy.
Fiddler will automatically chain to any proxy configured in Internet Explorer.
To manually chain to a different proxy, in Fiddler, click Tools > Fiddler Options and go to the Gateway tab. Specify the desired upstream proxy there.