I am currently working on a proxy. The software I use is 'Bettercap'. Personally, I like squid more, because its able to handle caching, and that makes things way faster.
The goal is to let https traffic pass through the proxy with no change, but inject a little js snippet in http content.
It should not be that complicated so SSl stripp and HSTS Bypass is not a must-have. Am I able to let the cache never expire, so that even when the proxy is turned off the script works?
How do I split the traffic up, so that no CA must be installed?
Alternatively, I could build a landing page to require the user to install the CA...
Thanks for your help!
Related
On one of the pages in on my website, I need to have an iFrame that often displays content from http sites. I haven't found a way to display that information on my https page.
After looking around, I think the best solution might be to remove https from some of those pages. Is that possible in Meteor using Iron Router or some other tool? Or is there any way to make the iframe content display?
Meteor does not support HTTPS by itself. The way to do it is to place a component in front of Meteor (like haproxy or nginx) that will perform the SSL offloading and send plain HTTP requests to Meteor. So the SSL connection is actually between the browser and the proxy in front, let's assume it is nginx. nginx will then forward all requests to Meteor as http.
As such, Meteor is not necessarily aware that https traffic is happening. Therefore you do not need to adjust anything inside Meteor or with Iron Router. Unfortunately there is no way to trick browsers into accepting http iFrames inside https sites, even if you were to tinker with nginx settings.
You options are to either include the external content on your server and proxy it (you could configure nginx to proxy the request to an external site and talk http to that data provider and serve https to the browser, just like you would for the Meteor server) or somehow bring the content into your Meteor app to serve it by itself.
I'm trying to use nginx behind a Compute Engine http load balancer. I would like to allow Health Check requests to come through a port unauthorized and all other requests to be authorized with basic auth.
The Health Check requests come from IP block: 130.211.0.0/22. If I see requests coming from this IP block with no X-forwarded-for header, then it is a health check from the load balancer.
I'm confused on how to set this up with nginx.
Have you tried using Nginx header modules? Googling around I found these:
HttpHeadersMoreModule
Headers
There's also a similar question here.
Alternative. In the past I worked with a software (RT), which had thought of this possibility in the software itself, providing a subdirectory for unauthorized access (/noauth/). Maybe your software might have the same, and you could configure GCE health check to point to something like /noauth/mycheck.html.
Please remember that headers can be easily forged, so an attacker who knows your vulnerability could access your server without auth.
I am working with Squid Proxy Server as I have also used cyberoam,Sonicwall and Clear OS.
I want to setup my own proxy like above products ie authentication in transparent proxy.
Actually I setup transparent proxy but at that time my HTTPS site is not working.Then I configure one iptables rule that redirect all http & https traffic to 3128(squid port) only. but here I can access all my https websites but I cant block them.
My requirement is when I am going to access any website at first time it will ask me to authentication and then and only i can access internet. In log reports also I can show its Username and one more thing it will also possible in thinclient(terminal service).
Anybody help me short-out this problem ?
Proxy authentication doesn't work in transparent proxies setups. The browser should have the proxy configured to catch the authentication request from a proxy and to request the credentials to an user.
Another thing is that you can create a transparent proxy for HTTPS. Why? Because when the browser connects, it's connected to the proxy, not the real server. The browser will try to negotiate SSL which is a thing that Squid won't support. There are tricks to do this, but you'll break the SSL security, browser will complain, etc. There are one tool that I used to get this working: u2nl, but it's a hack that tunnels HTTPS trought the proxy.
The best option, is to use a non-transparent proxy. If you want to avoid browsers configuration, have a look at WPAD
As said before, you can't really block HTTPS sites with Squid, and you can't really use authentication with the proxy running at his transparent mode.
As far as I could use and cofigure, you can use an external acl to force a kind of login, but the login requests will not be treated by the proxy, but you can work it with some PERL.
And about the HTTPS thing, you could work it with some hacks, but it is a very sensible question, because the server performance with be punished with this kind of use and you could be pointed as a fraudulent service, which isn't cool... Believe me.
I've got a tool which I need to use with a https site, but it only supports http. I need some kind of proxy tool that can work as a man in the middle between my tool and the https site, making the requests seem like http to the tool. The connection would look like this:
Tool -> HTTP -> Proxy -> HTTPS -> Site -> HTTPS -> Proxy -> HTTP -> Tool
Does anyone know of a tool or something I can set up that will work for this purpose? I've already asked in a few IRC channels and searched Google, but I was honestly not sure how to word it when searching Google, and not sure which channel to ask in via IRC.
Any help would be greatly appreciated!
Fiddler (www.fiddler2.com) has this capability; you can change the URL from HTTP to HTTPS on the fly.
Try cUrl. If your tool works with stdin/out, You can pipe your tool's stdin/out through curl. Also there is the library (libCurl) that you can use from within your code, if needed.
WebScarab might do it for you. It can act as a man-in-the-middle and you can alter requests on the fly.
Got any objection to an entire copy of Apache httpd with mod_proxy operating as a reverse proxy? Plausible instructions here.
"Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code."
There is also a guide on their site to wrap HTTP requests with Stunnel.
Looks like this SSL MITM proxy can do exactly what you're asking.
I am quite new to HTTPS and can not get my head around it.
Can someone suggest good starting point for learning about HTTPS, certificates and signing?
Possibly with a working example in ASP.NET with IIS.
If all you are trying to do is have your site in HTTPS there is no code needed. All you need to do is set IIS to serve pages with HTTPS.
If that is all you want, you are better off asking this question in http://www.serverfault.com.
To get you started, here's a link on how to set https in iis 7: http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-70/
HTTPS is just normal HTTP traffic that is encrypted using SSL/TLS. The protocol is fairly straightforward. I wrote a detailed blow-by-blow of what happens at the start of a connection on my blog: The First First Few Milliseconds of an HTTPS Connection.
It's unfortunate that the APIs built on top of the protocol are often much more complicated.