[Privoxy-users] Rewriting CONNECT header

Fabian Keil fk at fabiankeil.de
Thu Mar 7 16:48:06 CET 2024 

Madhu <enometh at meer.net> wrote on 2024-02-23 at 17:52:48:

> Hello, Assume example.com resolves to 192.168.20.10 and there is a
> https server running there, with adequately lax old-style SNI so that
> this works:
> 
>      curl -4 --head https://192.168.20.10 -H 'Host: example.com'
> 
> I'm trying to see if I can get privoxy to do the rewrites so the
> following works the same way:
> 
>     curl -4 -x localhost:8118 https://example.com/
> 
> 
> ``` use.filter
> CLIENT-HEADER-FILTER: use-ip-for-example-com
> s@^(HEAD|GET|POST) /([^ ]*) (HTTP/.*)$@$1 https://192.168.20.10/$2 $3 at i
> s@^(CONNECT)\s*example.com(.*)$@$1 192.168.20.10 at i

This line seems to eat the "HTTP/1.1" resulting in an invalid line.

> # the following line should not be required because curl should set it.
> #s@^(Host:) .*@$1 example.com:443 at i
> ```
> 
> ```user.actions
> {+https-inspection}
> example.com
> 192.168.20.10
> {+ignore-certificate-errors}
> example.com
> 192.168.20.10
> {  +https-inspection +client-header-filter{use-ip-for-example} }
> example.com/
> ```
> 
> However this does not seem to work. The (doctored) log is along these lines
> 
> ```
>  Re-Filter: filtering 'CONNECT example.com:443 HTTP/1.1' (size) with 'use-ip-for-example' ...
>  Header: Transforming "CONNECT example.com:443 HTTP/1.1" to "CONNECT 192.168.20.10:443 HTTP/1.1"
>  Re-Filter: ... produced 1 hits (new size).
>  Re-Filter: filtering 'Host: example.com:443' (size) with 'use-ip-for-example' ...
>  Re-Filter: ... produced 0 hits (new size).
>  Re-Filter: filtering 'User-Agent: Mozilla/5.0 ()' (size) with 'use-ip-for-example' ...
>  Re-Filter: ... produced 0 hits (new size).
>  Redirect: Rewrite detected: CONNECT 192.168.20.10:443 HTTP/1.1
>  Connect: Closing client socket 4. Keep-alive: 0. Socket alive: 1. Data available: 1. Configuration file change detected: 0. Requests received: 1.
> ```
> 
> and curl gets an EOF reply.
> 
> I'd appreciate any suggestions on what I ought to be trying. --Regards, Madhu

For testing I changed your filter to:

CLIENT-HEADER-FILTER: use-ip-for-example-com
s@^(HEAD|GET|POST) /([^ ]*) (HTTP/.*)$@$1 https://95.211.138.51/$2 $3 at i
s@^(CONNECT)\s*example.com(.*)$@$1 95.211.138.51 HTTP/1.1 at i

This seems to "work" but Privoxy generates a certificate for
95.211.138.51 instead of example.com to show the client.

| fk at t520 ~ $curl -4 -v https://example.com/
| * Uses proxy env variable https_proxy == 'http://127.0.1.1:8118/'
| *   Trying 127.0.1.1:8118...
| * Connected to 127.0.1.1 (127.0.1.1) port 8118
| * CONNECT tunnel: HTTP/1.1 negotiated
| * allocate connect buffer
| * Establish HTTP proxy tunnel to example.com:443
| > CONNECT example.com:443 HTTP/1.1
| > Host: example.com:443
| > User-Agent: curl/8.5.0
| > Proxy-Connection: Keep-Alive
| > 
| < HTTP/1.1 200 Connection established
| < 
| * CONNECT phase completed
| * CONNECT tunnel established, response 200
| * ALPN: curl offers h2,http/1.1
| * TLSv1.3 (OUT), TLS handshake, Client hello (1):
| * TLSv1.3 (IN), TLS handshake, Server hello (2):
| * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
| * TLSv1.3 (IN), TLS handshake, Certificate (11):
| * TLSv1.3 (IN), TLS handshake, CERT verify (15):
| * TLSv1.3 (IN), TLS handshake, Finished (20):
| * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
| * TLSv1.3 (OUT), TLS handshake, Finished (20):
| * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
| * ALPN: server did not agree on a protocol. Uses default.
| * Server certificate:
| *  subject: CN=95.211.138.51; O=95.211.138.51; OU=95.211.138.51; C=CZ
| *  start date: Feb  6 15:35:00 2024 GMT
| *  expire date: Jun  5 15:35:00 2024 GMT
| * SSL: certificate subject name '95.211.138.51' does not match target host name 'example.com'
| * Closing connection
| * TLSv1.3 (OUT), TLS alert, close notify (256):
| curl: (60) SSL: certificate subject name '95.211.138.51' does not match target host name 'example.com'
| More details here: https://curl.se/docs/sslcerts.html
| 
| curl failed to verify the legitimacy of the server and therefore could not
| establish a secure connection to it. To learn more about this situation and
| how to fix it, please visit the web page mentioned above.

If curl is instructed to ignore the problem the content is shown as expected.

| fk at t520 ~ $curl -4 --insecure -v https://example.com/
| * Uses proxy env variable https_proxy == 'http://127.0.1.1:8118/'
| *   Trying 127.0.1.1:8118...
| * Connected to 127.0.1.1 (127.0.1.1) port 8118
| * CONNECT tunnel: HTTP/1.1 negotiated
| * allocate connect buffer
| * Establish HTTP proxy tunnel to example.com:443
| > CONNECT example.com:443 HTTP/1.1
| > Host: example.com:443
| > User-Agent: curl/8.5.0
| > Proxy-Connection: Keep-Alive
| > 
| < HTTP/1.1 200 Connection established
| < 
| * CONNECT phase completed
| * CONNECT tunnel established, response 200
| * ALPN: curl offers h2,http/1.1
| * TLSv1.3 (OUT), TLS handshake, Client hello (1):
| * TLSv1.3 (IN), TLS handshake, Server hello (2):
| * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
| * TLSv1.3 (IN), TLS handshake, Certificate (11):
| * TLSv1.3 (IN), TLS handshake, CERT verify (15):
| * TLSv1.3 (IN), TLS handshake, Finished (20):
| * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
| * TLSv1.3 (OUT), TLS handshake, Finished (20):
| * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
| * ALPN: server did not agree on a protocol. Uses default.
| * Server certificate:
| *  subject: CN=95.211.138.51; O=95.211.138.51; OU=95.211.138.51; C=CZ
| *  start date: Feb  6 15:35:00 2024 GMT
| *  expire date: Jun  5 15:35:00 2024 GMT
| *  issuer: C=DE; ST=NRW; L=Cologne; O=Privoxy developers; OU=XYZ; CN=Fabian Keil; emailAddress=fk at fabiankeil.de
| *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
| *   Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
| * using HTTP/1.x
| > GET / HTTP/1.1
| > Host: example.com
| > User-Agent: curl/8.5.0
| > Accept: */*
| > 
| * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
| * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
| * old SSL session ID is stale, removing
| < HTTP/1.1 200 OK
| < Server: nginx
| < Date: Thu, 07 Mar 2024 15:39:58 GMT
| < Content-Type: text/html
| < Content-Length: 579
| < Last-Modified: Wed, 25 Jan 2023 08:41:50 GMT
| < Connection: keep-alive
| < ETag: "63ba569d-243"
| < Accept-Ranges: bytes
| < 
| <!DOCTYPE html>
| <html>
| <head>
| <title>ElectroBSD - Putting the "Free" in "Free"BSD</title>
[...]
| * Connection #0 to host 127.0.1.1 left intact

It could be argued that Privoxy should generate a certificate
for example.com instead.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-users/attachments/20240307/208e503d/attachment.bin>

More information about the Privoxy-users mailing list