Http 与 Https 代理区别 / Proxifier 与 Charles 使用心得小结

- -

HTTP Proxy 与 HTTPS Proxy 的区别很容易混淆。本文通过使用 Proxifier 与 Charles 实战作为一个笔记备忘。

HTTP Proxy 与 HTTPS Proxy 的区别

如何使用 proxifier 处理以 https 开头的 url,也就是 SSL 连接?这种连接一般是访问 443 端口,而普通 http 连接使用的是 80 端口。摘自 Proxifier 官网:

It is a common misconception to confuse HTTP proxy and HTTPS proxy. HTTP proxy servers can process HTTP connections (port 80). They can also support HTTPS connections (SSL) but usually such connections are only allowed on port 443 (the standard port for HTTPS). For example this is the default configuration for Squid and Microsoft ISA proxy servers. If an HTTP proxy allows HTTPS connections on arbitrary ports, it can be called HTTPS proxy server (also called CONNECT or SSL proxy). In this case it can be used for generic TCP connections like SOCKS v4/5 proxy. Proxifier can work with HTTP proxy servers that do not support HTTPS on arbitrary ports. Due to the technical limitation of this protocol it is only possible to process HTTP connections with such proxy servers. This means that you must configure the Proxification Rules accordingly.

基本上的意思就是呢,广义的 HTTP server 是可以处理 HTTPS 连接的。但是大多数 HTTP proxy servers 只能处理 HTTP request。如果它能处理任意端口的 HTTPS 连接,那么它也能被称作 HTTPS proxy server。换句话说,HTTPS proxy server 其实也就是 HTTP proxy server 的一种。

所以呢:

After that you will be able to add HTTP proxy server just like any other type of proxies. Once HTTP proxy server is added, make sure that you properly set the Proxification Rules. If you want to process HTTPS connections through this proxy also, you should add this proxy separately as HTTPS.

也就是说当要使用一个 proxy server 来同时处理 http 与 https 的连接时,应该把它们当作单独的 server 添加,如下:

同时,forwarding rules 也要添加两条:

使用 Charles 的同时使用 http/https proxy server

有时我们不希望设置一个全局的代理,而是希望针对某些 host:port 才使用代理。但是很多网站检测 ip 的功能可能放了在别的 host,所以 rule 里面要 match 好几个 host。这时,使用 charles 来监听访问一个网站时的 traffic 就特别方便,能轻易看到这个 request 会访问哪些 IP,然后可以逐个尝试把这些 IP 添加到 rule 里。但是 charles 本身就是一个(本地)代理。如何使用 Charles 时并且设置 external proxy server 呢?

这里比较复杂,要同时设置几个地方。首先,简单起见本地的 proxy server 直接设为 SOCKS:

其次,要支持 SSL 连接,必须设置 SSL proxy,简单起见,假设对于任意 host 任意端口都启用设置:

但是比较现代的浏览器会检测到 charles 发过来的根证书并不是要访问的网站的根证书,所以一般会提示并且出错,这是因为 (via):

Charles can be used as a man-in-the-middle HTTPS proxy, enabling you to view in plain text the communication between web browser and SSL web server. Charles does this by becoming a man-in-the-middle. Instead of your browser seeing the server’s certificate, Charles dynamically generates a certificate for the server and signs it with its own root certificate (the Charles CA Certificate). Charles receives the server’s certificate, while your browser receives Charles’s certificate. Therefore you will see a security warning, indicating that the root authority is not trusted. If you add the Charles CA Certificate to your trusted certificates you will no longer see any warnings – see below for how to do this. Charles still communicates via SSL to the web server. The communication is SSL (encrypted) from web browser to Charles and also SSL (encrypted) from Charles to the web server.

Charles uses its own Root SSL certificate for SSL requests through Charles to hosts enabled for SSL Proxying. The Root certificate is generated automatically for each Charles installation. Because Charles has signed the Root certificate itself, it won’t be trusted by your browsers or applications. In order to use the SSL Proxying feature in Charles you therefore need to add the Root certificate for your copy of Charles to the trust-store on your OS, and perhaps in your browser. Use the options in the SSL submenu in the Help menu in Charles to help install the Root certificate. You can install the certificate on the current OS, or on remote devices or browsers. To install the certificate in Mozilla Firefox, first configure Firefox to use Charles as its proxy then browse to chls.pro/ssl.

参见这里设置添加信任 Charles 的根证书。

最后,我们要设置对应的 HTTP 以及 HTTPS server,原理类似 proxifier:

PS. 这位博主有一系列非常好的介绍文章,并且使用 nodejs 实现了 HTTPHTTPS 代理。强烈推荐。

Comments