如何(手动)拦截自定义消息并将其返回给发出HTTPS请求的浏览器
[英]How do I (manually) intercept and return a custom message to a browser making a HTTPS request
问题描述
I am creating a 'firewall' type device (ie sitting in the middle of a communication) that in some cases need to intercept a HTTPS request and return a message to the client browser (like eg : sorry this is blocked). 
我正在创建“防火墙”类型的设备(即,坐在通信中间),在某些情况下,该设备需要拦截HTTPS请求并将消息返回给客户端浏览器(例如:抱歉,此操作被阻止)。
I can do this for HTTP by redirecting (with iptables DNAT) to another port on the device where netcat is listening: while true; 我可以通过将iptables DNAT重定向(使用iptables DNAT)到netcat正在侦听的设备上的另一个端口来进行HTTP操作: do echo -e "HTTP/1.1 200 OK\\n\\nsorry this is blocked"|nc -l -p 8000; 做echo -e“ HTTP / 1.1 200 OK \\ n \\ nsorry这被阻止” | nc -l -p 8000; done DONE
(so nc is listening on port 8000 and returning a normal code 200 reply. Could of course also be some other return code like 403 Forbidden etc.) (因此nc正在侦听端口8000并返回正常代码200答复。当然也可能是其他一些返回代码,例如403 Forbidden等。)
But what to do for HTTPS? 但是,对于HTTPS怎么办? The whole thing is encapsulated in SSL/TLS and if intercepted the browser will just display a message that the secure connection failed. 整个内容封装在SSL / TLS中,如果被拦截,浏览器将仅显示一条消息,说明安全连接失败。 I tried responding with a HTTP 307 Temporary Redirect with a Location pointing to http://127.0.0.1 (which would then give the above message). 我尝试使用HTTP 307临时重定向(其位置指向http://127.0.0.1)进行响应(然后会给出以上消息)。 But the browser doesn't like this. 但是浏览器并不喜欢这样。
I need to display some sort of customized message (not necessarily HTML). 我需要显示某种定制的消息(不一定是HTML)。 I realize that it would be a huge security issue if a HTTPS request could be changed to HTTP, thus stripping the security without the client noticing, but can a popup message or something not be forced in the client? 我意识到如果将HTTPS请求更改为HTTP,从而在不通知客户端的情况下剥离安全性,那将是一个巨大的安全性问题,但是可以在客户端中不强制弹出消息或执行某些操作吗? Or at least a standard code like '403 Forbidden'..? 还是至少有一个标准代码,例如“ 403 Forbidden”。 Is there something in the SSL or TLS protocols that I can (ab)use? 我可以(滥用)使用SSL或TLS协议中的某些内容吗?
Thanks. 谢谢。
1 个解决方案
解决方案1
0 已采纳 2016-11-18 10:27:32
So you are developing a transparent proxy. 因此,您正在开发透明代理。 When it comes to HTTPS traffic every proxy has the choice: 对于HTTPS流量,每个代理都可以选择:
- Pass it without decryption 通过它而不解密
- Block it completely 完全封锁
- Perform a man-in-the-middle attack for getting access to the content 进行中间人攻击以访问内容
If you performing the man-in-the-middle attack and the client does not trust the certificate used by the proxy it will get a certificate warning. 如果您执行中间人攻击,并且客户端不信任代理使用的证书,则会收到证书警告。 You can not send anything HTTP related to the client because SSL/TLS already fails to establish the tunnel. 您无法发送与客户端有关的任何HTTP,因为SSL / TLS已经无法建立隧道。 No tunnel means that you will not be able to transmit a single "HTTP byte" (this also means that you can not redirect the client somewhere else). 没有隧道意味着您将无法传输单个“ HTTP字节”(这也意味着您无法将客户端重定向到其他地方)。
And on SSL/TLS level there is AFAIK no way to send a custom message. 在SSL / TLS级别上,AFIAK无法发送自定义消息。 The "TLS alert message" only allows pre-defined constant values . “ TLS警报消息”仅允许预定义的常量值 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.