Respond to HTTP CONNECT in proxy

Question

I'm currently implementing a proxy. This is an special proxy which just replies to previously recorded requests (it has a database of request/responses and upon receiving request returns the match, this Database is generated using Fiddler). In fact it is offline.

This works fine for sites without SSL, but for SSL sites, there is a CONNET HTTP message

CONNECT myserver:9443 HTTP/1.1
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34
Host: myserver

I don't know what should I exactly return upon receiving this request?

Thanks

Answer 1

(Perhaps this question might be of interest.)

A normal HTTPS proxy would handle the CONNECT request, make a TCP connection to myserver:9443 and, if this connection is established successfully, return a 200 status code to the client. After this, it simply relays everything between the client and the target server without looking into it.

Since you're trying to implement a MITM proxy (offline too), you're going to have to emulate the connection to the actual server by redirecting the traffic to and from the client to a pseudo HTTPS server.

You might be able to do this by implementing a fake socket class and wrapping it via ssl.wrap_socket. (Presumably, since your application is already working for plain HTTP offline, you already have done some of the work to emulate reading and writing to pseudo sockets using your offline data.)

You may also have a generate a certificate on the fly. Typically, your proxy server could have its own CA, and you'd import its CA certificate into the client's trust anchors. Using that CA, just before sending any SSL/TLS data from the client to your pseudo server, generate a certificate signed with that CA, valid for the requested host name (which you can obtain from CONNECT), and configure your pseudo server with that. Without this step, the client should complain about invalid certificates.