0

I wrote a proxy server which works well. But when looking at the log, there are some weird requests like:

POST https://vortex.data.microsoft.com/collect/v1 HTTP/1.1

Also some GET over https. I think only CONNECT is allowed over https, am I wrong? If I am wrong, how to deal with these request? (I just dropped these requests in my app.)

Another thing maybe unrelated is all these requests are related to microsoft from the log.

Jks Liu
  • 457
  • 2
  • 12
  • In general there shouldn't be issues handling HTTPS in proxy, but please provide more info for better understanding your issue – ofirule Nov 11 '21 at 13:33
  • For e.g. when GET an HTTPS, should the proxy connect to 80 port or 443 port? Why the GET/POST does not just behind CONNECT to transparent over the proxy. – Jks Liu Nov 12 '21 at 03:55

1 Answers1

1

There isn't any problem handling any HTTP Method with HTTPS within a proxy.

All the requests with https://-protocol will be automatically received and sent to port 443 if not indicated otherwise.

Independently if you have a server where you deployed a HAProxy, NGINX, Apache Web Server or that you literally wrote a proxy like this one in JavaScript, only thing you have to do is to literally proxy the requests to the destination server address.

Regarding the encryption, precisely HTTPS ensures that there are no eavesdroppers between the client and the actual target, so the Proxy would act as initial target and then this would transparently intercept the connection.

  1. Client starts HTTPS session to Proxy
  2. Proxy intercepts and returns its certificate, signed by a CA trusted by the client.
  3. Proxy starts HTTPS session to Target
  4. Target returns its certificate, signed by a CA trusted by the Proxy.
  5. Proxy streams content, decrypt and re-encrypt with its certificate.

Basically it's a concatenation of two HTTPS sessions, one between the client and the proxy and other between the proxy and the final destination.

Daniel Campos Olivares
  • 2,262
  • 1
  • 10
  • 17
  • Is there any standard/RFC about this, or it is just a de facto one? – Jks Liu Nov 17 '21 at 14:27
  • Regarding the port? You have [RFC-2818 Section 2.3](https://datatracker.ietf.org/doc/html/rfc2818#section-2.3) about the default port number. Regarding the methods, in the same RFC, section 2; it says that HTTPS should be used in the same way than HTTP. – Daniel Campos Olivares Nov 17 '21 at 14:30
  • Also, in [RFC-7230 Section 2.7.2](https://datatracker.ietf.org/doc/html/rfc7230#section-2.7.2) when they are talking about the `https://` scheme they mention that port 443 is the default one for HTTPS. – Daniel Campos Olivares Nov 17 '21 at 14:32
  • Do you mean the proxy just do the same as HTTP except 443 port. But who is responsible for HTTPS encryption? If proxy sends the request `POST https://example.com/path.info` to remote server without encryption, `path.info` will not be privacy. – Jks Liu Nov 17 '21 at 14:58
  • The proxy will send to remote server with encryption, since it will start a new HTTPS session between the proxy and the target. Check my updated answer. – Daniel Campos Olivares Nov 17 '21 at 15:07
  • So proxy will do the heavy work in this scenario. Thank you very much. – Jks Liu Nov 18 '21 at 01:14
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/239335/discussion-between-jks-liu-and-daniel-campos). – Jks Liu Nov 18 '21 at 01:15