search

wzshiming / bridge

Bridge is a multi-level proxy that supports clients and servers with multiple protocols. SSHProxy, HTTPProxy, Socks4, Socks5, Shadowsocks.
MIT License
170 stars 16 forks source link

https protocol problem. #26

Closed hongyi-zhao closed 4 days ago

hongyi-zhao commented 1 week ago 
$ pgrep bridge -af
34639 bridge -b :8080 -p - -p socks5h://127.0.0.1:16668

$ curl -x https://127.0.0.1:8080 -vI https://www.google.com
*   Trying 127.0.0.1:8080...
* Connected to (nil) (127.0.0.1) port 8080 (#0)
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to 127.0.0.1:8080 
* Closing connection 0
* TLSv1.0 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, decode error (562):
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to 127.0.0.1:8080

Is it possible to work with https protocol in this case?

Regards, Zhao

wzshiming commented 4 days ago

Not yet. How do I get a secure TLS certificate for localhost/127.0.0.1 ?

wzshiming commented 4 days ago

As I understand it, this may require obtaining the system CA private key to issue the certificate, which is a privilege requirement.

hongyi-zhao commented 4 days ago

Suppose I've done the following settings:

# 安装 mkcert,在 Ubuntu 上:
sudo apt install mkcert

# 安装 mkcert 的根证书
mkcert -install

# 为 localhost 和 IP 地址创建证书
mkcert localhost 127.0.0.1 ::1

Then what should I do now?

wzshiming commented 4 days ago

Do you want to enable HTTPS service when providing a TLS certificate? it's possible, but not supported yet.

hongyi-zhao commented 4 days ago

My main confusion right now is: Since Bridge currently does not support TLS certificates, is it secure to access HTTPS services through Bridge's proxy?

wzshiming commented 4 days ago

It is secure for accessing HTTPS services, but not for the proxy auth and the destination address

wzshiming commented 4 days ago

If it is localhost, it is absolutely secure

wzshiming commented 4 days ago

You can try adding --debug to the bridge, which will output traffic at the terminal.

hongyi-zhao commented 4 days ago

It is secure for accessing HTTPS services, but not for the proxy auth and the destination address If it is localhost, it is absolutely secure

So, if the destination address is not localhost, say www.google.com in this case, do security concerns still exist?

wzshiming commented 4 days ago

If the HTTP proxy is local, it is secure.

hongyi-zhao commented 4 days ago

Thank you for your clarification. Therefore, in my case, there is no need to bother with HTTPS proxy protocol when calling bridge.