Reputation: 11
TCP connection through a HTTPS proxy
Here is what I'm trying to achieve: I have a TCP client that need to connect to our server application but I need the traffic to be done over HTTPS. As far I know, it can be done with a reverse (or forward?) proxy as followed :
TCP client <--- HTTPS ---> myproxy.com:443 <------> tcp server app that listen port 7999
I succefully created a proxy without SSL with the following vhost config :
<VirtualHost *:80>
ServerName myproxy.com
SetEnv proxy-nokeepalive 1
ProxyErrorOverride off
ProxyRequests On
ProxyBadHeader Ignore
ProxyVia Full
AllowCONNECT 80 443 7999
</VirtualHost>
(am not sure if any of these params are unecessary tbh)
With that vhost I can initiate my tcp connection to my server like this :
telnet myproxy.com 80
> Connected to myproxy.com.
CONNECT myproxy.com:7999 HTTP/1.1
Host: myproxy.com:7999
> HTTP/1.0 200 Connection Established
> Proxy-agent: Apache/2.4.18 (Ubuntu)
As soon as I add SSL and use the port 443, I can't connect anymore :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName myproxy.com
SetEnv proxy-nokeepalive 1
ProxyErrorOverride off
ProxyRequests On
ProxyBadHeader Ignore
ProxyVia Full
AllowCONNECT 80 443 7999
SSLProxyEngine On
SSLEngine On
SSLCertificateFile...
</VirtualHost>
</IfModule>
If I try to connect to this vhost, I get the following :
telnet myproxy.com 443
> Connected to myproxy.com.
CONNECT myproxy.com:7999 HTTP/1.1
Host: myproxy.com:7999
> Connection closed by foreign host.
What am I doing wrong, is this only possible by using the port 443 ?
While typing this I tried the port 80 with SSL on (same as my last vhost but with <VirtualHost *:80>, and it seems to work. Is my connection to my TCP server secured this way ? How could I be sure about that ?
Thank you.
Upvotes: 1
Views: 8577
Answers (1)
Reputation: 123260
What you did first was to create a HTTP proxy and issued a plain CONNECT request to it. This worked as expected.
What you did then was to enable SSL for connections to this proxy but issued a plain CONNECT again. This failed as expected since you explicitly configured that the connection to the proxy should be SSL and not plain. This means that the proxy expected the connection to start with the TLS handshake (i.e. ClientHello send by client) and not some plain text HTTP request.
If you want to connect to the proxy with HTTPS then you cannot use simple telnet since telnet only speaks plain TCP. You need to use a TLS capable client instead, for example openssl s_client. Then you get something like
$ openssl s_client -connect myproxy:443
CONNECTED
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ...
---
CONNECT myproxy:7999 HTTP/1.0
HTTP/1.0 200 Connection established
Upvotes: 3
Related Questions
- HTTPS connections over proxy servers
- How to forward HTTPS traffic from a SOCKS proxy to HTTP proxy
- what is https and http tunnel methods in proxy?
- Java Proxy Tunnelling HTTPS
- Respond to HTTP CONNECT in proxy
- HTTPS tunneling through my proxy
- HTTPS requests over open proxy servers
- HTTPS Web(only)Proxy
- What is the correct way to emulate TCP connection through HTTP(s) proxy?
- SSL with proxy (https)