0

I've build a proxy with some logic on request headers.

I use sockets. Before even any connect occurs, inside my proxy I parse headers, add authentification and forward the request to target host.

And now I've stumbled upon following issues:

  1. I have to relay https requests
  2. I don't need any body manipulations, I just need to modify headers the same way, forward CONNECT to target, receive an answer and return to source socket.

Questions:

Do I need CA on the proxy side? Do I need to use SSlStream to forward and receive request?

If so, what could be the algorithm?

Dmitry Dyachkov
  • 1,715
  • 2
  • 19
  • 46

1 Answers1

0

The SSL handshake comes after the CONNECT request and its response. If you only need to manipulate the CONNECT request you can simply forward the data after the handshake between the peers, e.g. no SSL interception which means no SSLStream and no CA. But, if you need to manipulate the HTTP headers of the requests inside the HTTPS connection (GET, POST...) you have to do SSL interception (e.g. man-in-the-middle with your own proxy CA and SSLStream).

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I just add values to cookies. – Dmitry Dyachkov Apr 05 '14 at 13:13
  • 1
    The cookies are not sent inside the CONNECT request, which is only used to establish a tunnel for the SSL. The cookies are sent inside the HTTP requests which are protected with SSL (one of the reasons to use https is to protect these cookies) so you need SSL inspection. This means: use of your own proxy CA which has to be trusted by all clients, separate SSL streams to client and to server, making sure that you get all the trust issues right (not easy, see http://www.youtube.com/watch?v=7TNdHzwTNdM) and client certificates will not work. For C code have a look at SSL bumping in squid proxy. – Steffen Ullrich Apr 05 '14 at 15:04