search

twitchax / AspNetCore.Proxy

ASP.NET Core Proxies made easy.
MIT License
525 stars 83 forks source link

How to proxy https request? #37

Closed yengepi closed 4 years ago

yengepi commented 4 years ago

Hi, thanks for your great work on this project. I wonder if this can proxy https request?I Expect to use this resource to build a proxy server that forward and return exactly the same request and response to client. This should support 3 protocol http/https/ws. Thanks.

twitchax commented 4 years ago

It does support HTTPS, but you will need to terminate the SSL on the proxy.

If you need to do pass through SSL, then the best option is a SOCKS proxy.

yengepi commented 4 years ago

Hi, thanks for quick response. Can you add more guide on this? From what you said, i assume that there are two parts to accomplish my task. First is to disable aspnetcore default ssl that i believe is doing some configuration with kestrel (my host for now). The second part is building a SOCKS proxy to pass https requests through. So, is it an external proxy or being supported already by aspnet core? If its external then how can i consume? And how can it be integrated with my server? Does Socks act as reverse proxy in front of my proxy? Thank you

twitchax commented 4 years ago

Hi @yengepi,

So, you want to proxy B, which means that a request from A to B would look like this.

A => B => A

That is, A makes a request toB, and B responds to A.

However, you want to proxy that connection, so it looks like this.

A => P => B => P => A

HTTP(S) proxies like this one must "terminate" the connection, so it really looks more like this.

A => P
P => B => P
P => A

That is, the relationship between A and P is its own connection, so any SSL connection cannot "pass through" to B. You can have SSL between A => P and P => B, but you cannot have an SSL connection all the way from A => B, so the proxy can "see" the data that A is trying to send to B. If that is not a problem, then this will totally work.

SOCKS proxies work at the transport layer, and, generally, just forward raw bytes. In that manner, you can do A => SP => B while maintaining an SSL relationship between strictly A and B without SP able to "see" the underlying data.

It looks like you want to build a reverse proxy. This should work fine for that, and I would recommend terminating SSL on the proxy, and then forwarding to underlying backends via HTTPS. If you control the network of the backends, and feel comfortable enough, you could terminal SSL on the proxy and forward to backends via HTTP.