Open theromis opened 2 years ago
sonertari
commented
2 years ago Of course it is possible, but I don't understand the use of it. Don't you return the packets back to sslproxy (you need the dynamically assigned return address in the SSLproxy line for that)? How do you determine the actual source and destination addresses of the connection? Don't you need the other information in the SSLproxy line?
theromis
commented
2 years ago @sonertari I'm diverting pure http traffic to nginx and actual http request including dns resolution processing nginx: sslproxy:
ProxySpec {
Addr 0.0.0.0
Port 8443
DivertAddr 127.0.0.1
DivertPort 80
ReturnAddr 127.0.0.1
....
}nginx (port 80):
location / {
proxy_ssl_server_name on;
proxy_pass https://$http_host;
....
}Does it really work? Since that's not the intended use of sslproxy, there may be (hidden) problems, even if it seems to work.
For example, if the listening program, nginx in this case, does not return the packets to sslproxy listening on a dynamically assigned return address, (1) sslproxy will time the connection out in 120 seconds by default, which can be configured by the ConnIdleTimeout option, (2) during which time the connection will consume resources, as sslproxy will have allocated file descriptors and structs for it. (You can decrease this timeout as much as possible to reduce resource usage.)
If your setup really works, then I guess nginx doesn't need the source and destination IP addresses of the connection. Is this correct?
Squid cache has problems if it does not know if the original connection was encrypted or not (especially if a connection is redirected from plain to secure web site), but I guess nginx or your setup does not have such problems, or it doesn't use a cache. Is this correct?
If you can make sure that this is really a viable use of sslproxy, and there are no (hidden) problems as I tried to mention a few of them above, in other words if that's really what you want, then I can add an option like that on a new branch, so you can test it properly.
theromis
commented
2 years ago @sonertari thank you for fast and detailed explanation, I'm new to sslprxoy and ay be not understand all it's parts. Main purpose for nginx usage is heavy response processing so I'm analyzing only port 443. I'm doing extra dns resolution which probably can avoid by using sslproxy header. Also I think I can suppress sslproxy header on nginx side, in this case I don't need this option. Let me try this approach and I'll get back to you soon.
theromis
commented
2 years ago Just suppressed header on nginx side, probably this is ok.
@sonertari but I have another issue, getting empty response for uk.wikipedia.org
SNI peek: [uk.wikipedia.org] [complete], fd=44
Connecting to [198.35.26.96]:443
===> Original server certificate:
Subject DN: /CN=*.wikipedia.org
Common Names: *.wikipedia.org/*.m.mediawiki.org/*.m.wikibooks.org/*.m.wikidata.org/*.m.wikimedia.org/*.m.wikinews.org/*.m.wikipedia.org/*.m.wikiquote.org/*.m.wikisource.org/*.m.wikiversity.org/*.m.wikivoyage.org/*.m.wiktionary.org/*.mediawiki.org/*.planet.wikimedia.org/*.wikibooks.org/*.wikidata.org/*.wikimedia.org/*.wikimediafoundation.org/*.wikinews.org/*.wikipedia.org/*.wikiquote.org/*.wikisource.org/*.wikiversity.org/*.wikivoyage.org/*.wiktionary.org/*.wmfusercontent.org/mediawiki.org/w.wiki/wikibooks.org/wikidata.org/wikimedia.org/wikimediafoundation.org/wikinews.org/wikipedia.org/wikiquote.org/wikisource.org/wikiversity.org/wikivoyage.org/wiktionary.org/wmfusercontent.org
Fingerprint: EF:9C:F2:C9:64:3B:E7:20:E5:5F48:BD:BF:8C:96:5E:79:7B:F0:05
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /CN=*.wikipedia.org
Common Names: *.wikipedia.org/*.m.mediawiki.org/*.m.wikibooks.org/*.m.wikidata.org/*.m.wikimedia.org/*.m.wikinews.org/*.m.wikipedia.org/*.m.wikiquote.org/*.m.wikisource.org/*.m.wikiversity.org/*.m.wikivoyage.org/*.m.wiktionary.org/*.mediawiki.org/*.planet.wikimedia.org/*.wikibooks.org/*.wikidata.org/*.wikimedia.org/*.wikimediafoundation.org/*.wikinews.org/*.wikipedia.org/*.wikiquote.org/*.wikisource.org/*.wikiversity.org/*.wikivoyage.org/*.wiktionary.org/*.wmfusercontent.org/mediawiki.org/w.wiki/wikibooks.org/wikidata.org/wikimedia.org/wikimediafoundation.org/wikinews.org/wikipedia.org/wikiquote.org/wikisource.org/wikiversity.org/wikivoyage.org/wiktionary.org/wmfusercontent.org
Fingerprint: 71:DE:C3:BA:BD:25:8A:21:1E:B479:9F:73:F9:04:39:97:6A:A2:64
HTTPS connected to [198.35.26.96]:443 TLSv1.3 TLS_AES_256_GCM_SHA384
CLIENT_RANDOM C2C1A9CF540DF349865C2FA4F90D63CEA758981FCD97C69C65EBEA44EE4BAD6D 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Certificate cache: KEEP (SNI match or target mode)
Certificate cache: KEEP (SNI match or target mode)
HTTPS connected to [198.35.26.96]:443 TLSv1.3 TLS_AES_256_GCM_SHA384
CLIENT_RANDOM 92D478F9DE26B3E10A955D5516155E687E16B920B2145388F3882104D80C264B 49C0775704A69A642E84A2E6BD52B18ECDD7F93FE939B011E8C72DA254888DB9D1E00F3102D4DEB347397DD64E757E46
SSL_free() in state 00000001 = 0001 = SSLOK (SSL negotiation finished successfully) [accept socket]
SSL_free() in state 00000001 = 0001 = SSLOK (SSL negotiation finished successfully) [connect socket]
^CReceived signal 2
Main event loop stopped (reason=2).
Received privsep req type 00 sz 1 on srvsock 8
Child pid 103332 exited with status 0PS: same for ru.wikipedia.org can you help with it?
Trying to keep my http headers as clean as possible, but always can see
sslproxyheader, finally just disabled it in the code:Is it possible to make some option in config to add this header optionally?