本地HTTPS代理可能吗?
[英]Local HTTPS proxy possible?
问题描述
TL;DR 
TL; DR
I want to set up a local HTTPS proxy that can ( LOCALLY ) modify the content of HTML pages on my machine. 我想设置一个本地HTTPS代理,该代理可以( 本地 )修改计算机上HTML页面的内容。 Is this possible? 这可能吗?
Motivation 动机
I have used an HTTP Proxy called GlimmerBlocker for years. 多年来,我一直在使用名为GlimmerBlocker的HTTP代理。 It started in 2008 as a proxy-based approach to blocking ads (as opposed to browser extensions or other OS X-specific hacks like InputManagers). 它始于2008年,是一种基于代理的阻止广告的方法(与浏览器扩展或其他OS X特定的黑客(例如InputManagers)相对)。 But besides blocking ads, it also allows the user to inject their own CSS or JavaScript into the page. 但是,除了阻止广告外,它还允许用户向页面注入自己的CSS或JavaScript。 Development has seriously slowed, but it remains incredibly useful. 发展已经严重放缓,但仍然非常有用。
The only problem is that it doesn't do HTTPS ( from its FAQ ): 唯一的问题是它不执行HTTPS( 从其FAQ中进行 ):
Ads on https pages are not blocked
When Safari fetches an https page using a proxy, it doesn't really use the http protocol, but makes a tunneled tcp connection so Safari receives the encrypted bytes.
Fortunately, most ad-providers are not going to switch to https as serving pages using https are much slower and would have a huge processing overhead on the ad-providers servers.
Back in 2008, maybe that last part was true…but not any more. 早在2008年,也许最后一部分是正确的……但现在不再是。
To be clear, I think the increasing use of SSL is a good thing. 需要明确的是,我认为越来越多地使用SSL是一件好事。 I just want to get back the control I had over the content after it arrives on my end. 我只想找回对内容的控制权。
Points of Confusion 困惑点
While searching for a solution, I've become confused by some apparently contradictory points. 在寻找解决方案时,我被一些明显矛盾的观点弄糊涂了。
(Also, although I'm quite experienced with the languages of web pages, I've always had a difficult time grokking networks and protocols. On that note, sorry if I'm missing something that is way obvious!) (此外,尽管我对网页语言有相当的经验,但我一直很难浏览网络和协议。因此,如果我缺少明显的东西,抱歉!)
I found this StackOverflow question asking whether HTTPS proxies were possible.
我发现了这个StackOverflow问题,询问是否可以使用HTTPS代理。 The best answer says that “TLS/SSL (The S in HTTPS) guarantees that there are no eavesdroppers between you and the server you are contacting, ie no proxies.” (The same answer then described a hack to pull it off, but I don't understand the instructions. It was very theoretical, anyway.) 最好的答案是:“ TLS / SSL(HTTPS中的S)确保您与要连接的服务器之间没有窃听者,也就是没有代理。”(然后,相同的答案描述了将其窃取的技巧,但我不理解说明。无论如何,这都是很理论的。) In OS X under Network Preferences ▶︎ Advanced… ▶︎ Proxies , there is clearly a setting for an HTTPS proxy.
在OS X的“ 网络首选项”▶︎高级…▶︎代理下 ,显然有HTTPS代理的设置。 This seems to contradict the previous statement that TLS/SSL's guarantee against eavesdropping implies the impossibility of proxies. 这似乎与先前的说法相反,TLS / SSL的防止窃听的保证暗示了代理的不可能。
Other things of note 其他注意事项
I can't remember where, but I read that it is possible to set up an HTTPS proxy, but that it makes HTTPS pointless (by breaking the secure communication in the process).
我不记得在哪里,但是我读到可以设置HTTPS代理,但是它使HTTPS毫无意义(通过破坏过程中的安全通信)。 I don't want this! 我不要这个! Encryption is good. 加密是好的。 I don't want to filter anyone else's traffic; 我不想过滤其他人的流量; I just want something to customize the content after I've already received it. 我只想在收到内容后自定义内容。 GlimmerBlocker has a nice GUI interface, but I'm fine with non-GUI solutions, too.
GlimmerBlocker有一个不错的GUI界面,但是我也很喜欢非GUI解决方案。 I may have a poor understanding of networking and protocols, but I'm perfectly comfortable on the command line, tweaking settings in text editors, and so on. 我可能对网络和协议了解甚少,但是我在命令行,调整文本编辑器中的设置等方面非常满意。
Is what I'm asking possible? 我要问的可能吗? Or is my question a case of “either you get security, or you can break it with hacks and get to customize your content—but not both”? 还是我的问题是“要么获得安全性,要么可以通过黑客破解安全性并自定义您的内容,但不能同时做到这两者”?
1 个解决方案
解决方案1
2 2014-07-01 14:32:40
The common idea of a HTTP proxy is a server which accepts a CONNECT request which includes the target hostname and port and then just builds a tunnel to the target server. HTTP代理的通常想法是服务器接受包含目标主机名和端口的CONNECT请求,然后仅建立到目标服务器的隧道。 All the https is done inside the tunnel, so there is no way for the proxy to modify it (end-to-end security from browser to web server). 所有https都在隧道内完成,因此代理无法修改它(从浏览器到Web服务器的端到端安全性)。
To modify the data you need to have a proxy which plays man-in-the-middle. 要修改数据,您需要有一个扮演中间人的代理。 In this case you have a https connection between the proxy and the web server and another https connection between the browser and the proxy. 在这种情况下,代理与Web服务器之间具有https连接,浏览器与代理之间具有另一个https连接。 Between proxy and web server the original server certificate is used, while between browser and proxy a newly created certificate is used, which is signed by a CA specific to the proxy. 在代理和Web服务器之间使用原始服务器证书,而在浏览器和代理之间使用新创建的证书,该证书由特定于代理的CA签名。 Of course this CA must be imported as trusted into he browser, otherwise it would complain all the time about possible attacks. 当然,必须以信任的方式将此CA导入浏览器,否则它将一直抱怨可能的攻击。
Of course - all the verification of the original server certificate has to be done in the proxy now, and not all solutions do this the correct way. 当然-原始服务器证书的所有验证现在都必须在代理中完成,并且并非所有解决方案都以正确的方式进行。 See also http://www.secureworks.com/cyber-threat-intelligence/threats/transitive-trust/ 另请参见http://www.secureworks.com/cyber-threat-intelligence/threats/transitive-trust/
There are several proxy solution which might do this SSL interception, like squid, mitmproxy (python) or App::HTTP_Proxy_IMP (perl). 有几种代理解决方案可以执行此SSL拦截,例如squid,mitmproxy(python)或App :: HTTP_Proxy_IMP(perl)。 The last two are specifically designed to let you modify the content with your own code, so these might be good places to start. 最后两个经过专门设计,可让您使用自己的代码修改内容,因此这些可能是一个不错的起点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.