Article delegate-en/2924 of [1-4112] on the server localhost:7119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A2919@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en
[DeleGate-En] Re: Delegate as https proxy server
25 Apr 2005 08:44:29 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project 
Hi,

On 04/20/05(14:54) you "Neal L. Lester" <neal@3dsafety..> wrote
in <_A2919@delegate-en.ML_>
 |Is it possible to use delegate as an https proxy server (forwarding 
 |requests to a (not secure) http server?  I works fine if I request a 
 |document directly (configure browser for "direct connection to the 
 |internet" and then request https://delegated-host:4343/file) but not if 
 |configure my browser to use the ssl proxy delegated-host:4343.
 |
 |I tried:
 |
 |./delegated -f -vv -P4343 DGROOT=/home/neal/stunnel/ 
 |SERVER=https://localhost:4344 FCL=sslway RELIABLE="*" RELAY=proxy MOUNT="/* 
 |http://localhost:4344/*"
 |
 |But I got:
 |
 |SSLway[20377](pudgy) accept failed
 |20377:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy 
 |request:s23_srvr.c:405:

First of all, it is not good idea to use a single DeleGate to work as
both a HTTP/HTTPS gateway (or SSL wrapper) which acts as an origin
HTTPS server, and as a HTTP proxy for SSL tunneling (or SSL proxy).
It makes the problem complex.

You succeeded to wrap HTTP servers with DeleGate as they are HTTPS servers.
The DeleGate acts as an origin or gateway server, that is, the connection
from the client is in HTTPS/SSL from the beginning, getting ClientHello
message in SSL, then the request from the client in HTTP for origin
server with GET/HEAD/POST method or so.
DeleGate rewrites URLs in each response message, from "http://server"
to "https://delegate".

On the contrary, "SSL proxy" which relays HTTPS from a SSL client to a SSL
server acts as a proxy, that is, the connection from the client is in
bare HTTP and the request from the client is for proxy server as
"CONNECT host:443".  It just connect to the specified TCP port and
relays without interpreting the SSL encrypted data.
So your "FCL=sslway" for this type of DeleGate fails getting "CONNECT"
method, saying "https proxy request", while expecting ClientHello
message in SSL.

Well, SSLway has an option "sslway -st" to relay through such a CONNECT
request/response pair at the beginning.  With this option, you can
make a HTTP proxy (with SSL tunneling) work also as HTTP/HTTPS gateway.

  ## generic proxy between HTTP servers and HTTPS clients.
  ## specify this as a SSL proxy of a browser then you can access any
  ## HTTP server "http://server" as if it is "https://server:80"
  -P8080
  SERVER=http
  FCL="sslway -st"

With this proxy, you can access to arbitrary URL "http://server/path"
over SSL with URL "https://server:80/path".
But with this SSLway option, this proxy can be used just for such purpose
and become disabled for relaying usual HTTP and HTTPS as is.

Cheers,
Yutaka
--
  D G   Yutaka Sato <pfqcabdyi.ml@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller
  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V