本地HTTPS代理可能吗

本地HTTPS代理可能吗

关注
发信
关注(28)粉丝(399)

本地HTTPS代理可能吗?

本文介绍了本地HTTPS代理可能吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

TL; DR



我想设置一个本地HTTPS代理,可以( LOCALLY )修改我的HTML页面内容机。这可能吗?



动机



我使用了名为多年。它始于2008年,作为一种基于代理的方法来阻止广告(与浏览器扩展或其他特定于OS X的黑客一样,如InputManagers)。但除了阻止广告外,它还允许用户将自己的CSS或JavaScript注入页面。开发已经严重放缓,但它仍然非常有用。



唯一的问题是它没有做HTTPS():

早在2008年,也许最后一部分是真的......但不再是。



要明确的是,我认为越来越多地使用SSL是一件好事。我只是希望在它到达我的结束后取回对内容的控制。





混淆点



在寻找解决方案时,我对一些明显矛盾的观点感到困惑。



(另外,虽然我对网页语言很有经验,但我总是很难在网络和协议上工作。在那个问题上,对不起,如果我错过了一些明显的东西!)




  • 我发现询问是否可以使用HTTPS代理。最好的答案是TLS / SSL(HTTPS中的S)保证您和您正在联系的服务器之间没有窃听者,即没有代理。(相同的答案然后描述了黑客攻击它,但我不理解说明。无论如何,这是非常理论化的。)


  • 在OS X中网络首选项▶︎高级...▶︎代理,显然有一个HTTPS代理设置。这似乎与之前的声明相矛盾,即TLS / SSL对窃听的保证意味着代理人无法做到。




其他的事情注意




  • 我不记得在哪里,但我读到可以设置一个HTTPS代理,但是它使HTTPS毫无意义(通过破坏过程中的安全通信)。 我不想要这个!加密很好。我不想过滤其他人的流量;我只是想要在之后自定义内容我已收到它。


  • GlimmerBlocker有一个很好的GUI界面,但我对非GUI解决方案也很好。我可能对网络和协议了解不多,但我对命令行非常熟悉,在文本编辑器中调整设置等等。






我问的是可能的吗?或者我的问题是要么你获得安全性,要么你可以用黑客破解它并定制你的内容 - 但不能同时 -

解决方案

HTTP代理的常见想法是接受包含目标主机名和端口的CONNECT请求的服务器,然后只构建到目标服务器的隧道。所有https都在隧道内完成,因此代理无法修改它(从浏览器到Web服务器的端到端安全性)。



To修改你需要拥有一个扮演中间人的代理所需的数据。在这种情况下,您在代理和Web服务器之间建立了https连接,在浏览器和代理之间建立了另一个https连接。在代理和Web服务器之间使用原始服务器证书,而在浏览器和代理之间使用新创建的证书,该证书由特定于代理的CA签名。当然,这个CA必须作为受信任导入到浏览器中,否则它会一直抱怨可能的攻击。

当然 - 原始服务器证书的所有验证必须在代理中完成,并非所有解决方案都以正确的方式执行此操作。另请参见



有几种代理解决方案可以执行此SSL拦截,如squid,mitmproxy(python)或App :: HTTP_Proxy_IMP(perl)。最后两个是专门设计的,允许您使用自己的代码修改内容,因此这些可能是开始的好地方。


TL;DR

I want to set up a local HTTPS proxy that can (LOCALLY) modify the content of HTML pages on my machine. Is this possible?

Motivation

I have used an HTTP Proxy called GlimmerBlocker for years. It started in 2008 as a proxy-based approach to blocking ads (as opposed to browser extensions or other OS X-specific hacks like InputManagers). But besides blocking ads, it also allows the user to inject their own CSS or JavaScript into the page. Development has seriously slowed, but it remains incredibly useful.

The only problem is that it doesn’t do HTTPS (from its FAQ):

Back in 2008, maybe that last part was true…but not any more.

To be clear, I think the increasing use of SSL is a good thing. I just want to get back the control I had over the content after it arrives on my end.

Points of Confusion

While searching for a solution, I’ve become confused by some apparently contradictory points.

(Also, although I’m quite experienced with the languages of web pages, I’ve always had a difficult time grokking networks and protocols. On that note, sorry if I’m missing something that is way obvious!)

  • I found this StackOverflow question asking whether HTTPS proxies were possible. The best answer says that "TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, i.e. no proxies." (The same answer then described a hack to pull it off, but I don’t understand the instructions. It was very theoretical, anyway.)

  • In OS X under Network Preferences ▶︎ Advanced… ▶︎ Proxies, there is clearly a setting for an HTTPS proxy. This seems to contradict the previous statement that TLS/SSL’s guarantee against eavesdropping implies the impossibility of proxies.

Other things of note

  • I can’t remember where, but I read that it is possible to set up an HTTPS proxy, but that it makes HTTPS pointless (by breaking the secure communication in the process). I don’t want this! Encryption is good. I don’t want to filter anyone else’s traffic; I just want something to customize the content after I’ve already received it.

  • GlimmerBlocker has a nice GUI interface, but I’m fine with non-GUI solutions, too. I may have a poor understanding of networking and protocols, but I’m perfectly comfortable on the command line, tweaking settings in text editors, and so on.

Is what I’m asking possible? Or is my question a case of "either you get security, or you can break it with hacks and get to customize your content—but not both"?

解决方案

The common idea of a HTTP proxy is a server which accepts a CONNECT request which includes the target hostname and port and then just builds a tunnel to the target server. All the https is done inside the tunnel, so there is no way for the proxy to modify it (end-to-end security from browser to web server).

To modify the data you need to have a proxy which plays man-in-the-middle. In this case you have a https connection between the proxy and the web server and another https connection between the browser and the proxy. Between proxy and web server the original server certificate is used, while between browser and proxy a newly created certificate is used, which is signed by a CA specific to the proxy. Of course this CA must be imported as trusted into he browser, otherwise it would complain all the time about possible attacks.

Of course - all the verification of the original server certificate has to be done in the proxy now, and not all solutions do this the correct way. See also http://www.secureworks.com/cyber-threat-intelligence/threats/transitive-trust/

There are several proxy solution which might do this SSL interception, like squid, mitmproxy (python) or App::HTTP_Proxy_IMP (perl). The last two are specifically designed to let you modify the content with your own code, so these might be good places to start.

这篇关于本地HTTPS代理可能吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-05 12:11
Powered by LMLPHP ©2024 本地HTTPS代理可能吗 0.040177