问题描述
是否可以通过代理服务器建立 HTTPS 连接?如果是,什么样的代理服务器允许这样做?
Is it possible to have HTTPS connections over proxy servers? If yes, what kind of proxy server allows this?
重复如何使用Socks 5使用 Apache HTTP 客户端 4 代理?
推荐答案
TLS/SSL(HTTPS 中的 S)保证您和您正在联系的服务器之间没有窃听者,即没有代理.通常,您使用 CONNECT
打开通过代理建立 TCP 连接.在这种情况下,代理将无法缓存、读取或修改任何请求/响应,因此毫无用处.
TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies. Normally, you use CONNECT
to open up a TCP connection through the proxy. In this case, the proxy will not be able to cache, read, or modify any requests/responses, and therefore be rather useless.
如果希望代理能够读取信息,可以采取以下方式:
If you want the proxy to be able to read information, you can take the following approach:
- 客户端启动 HTTPS 会话
- 代理透明地拦截连接并返回一个临时生成的(可能弱) 证书 Ka,由证书颁发机构签署这是无条件信任的客户.
- 代理启动 HTTPS 会话到目标
- 代理验证 SSL 的完整性证书;显示错误,如果证书无效.
- 代理流式传输内容,对其进行解密并重新加密它Ka
- 客户端显示内容
- Client starts HTTPS session
- Proxy transparently intercepts the connection andreturns an ad-hoc generated(possiblyweak) certificate K,signed by a certificate authoritythat is unconditionally trusted bythe client.
- Proxy starts HTTPS session to target
- Proxy verifies integrity of SSLcertificate; displays error if thecert is not valid.
- Proxy streams content, decrypts itand re-encrypts it withK
- Client displays stuff
一个例子是 Squid 的 SSL 碰撞.类似地,可以配置 burp 来执行此操作.这也是 埃及 ISP 在不太友好的环境中使用.
An example is Squid's SSL bump. Similarly, burp can be configured to do this. This has also been used in a less-benign context by an Egyptian ISP.
请注意,现代网站和浏览器可以使用 HPKP 或 内置证书 pin 可以阻止这种方法.
Note that modern websites and browsers can employ HPKP or built-in certificate pins which defeat this approach.
这篇关于通过代理服务器的 HTTPS 连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!