wuchangming / https-mitm-proxy-handbook Goto Github PK
View Code? Open in Web Editor NEW基于Node.js的HTTPS MITM(中间人)代理的原理和实现
License: MIT License
https-mitm-proxy-handbook's Issues
中间人对HTTPS只能伪造吗,要怎么样才能获取到HTTPS的响应HTML?
在代码Chapter4中只实现了返回伪造的响应内容,要如何才能获取到真实请求地址的响应HTML代码呢?
如果可以希望你指点一下,非常感谢。
还有一处疑问,为什么这在SNICallback回调中又要重新再生成一次证书呢?不能直接使用上文的fakeCertObj证书吗?
var fakeServer = new https.Server({
key: fakeCertObj.key,
cert: fakeCertObj.cert,
SNICallback: (hostname, cback) => {
let certObj = createFakeCertificateByDomain(caKey, caCert, hostname);
cback(null, tls.createSecureContext({
key: pki.privateKeyToPem(certObj.key),
cert: pki.certificateToPem(certObj.cert)
}));
}
});感觉作者
创建证书如果做一个文件缓存就好了,效率更高
感觉作者 我已经通过 chapter1 chapter2 chapter2 chapter4 做出了一个https抓包工具了
var fakeServer = new https.Server({
key: fakeCertObj.key,
cert: fakeCertObj.cert,
//此处代码是不是没的用? 去掉了好像也没什么问题
SNICallback: (hostname, done) => {
let certObj = createFakeCertificateByDomain(caKey, caCert, hostname)
done(null, tls.createSecureContext({
key: pki.privateKeyToPem(certObj.key),
cert: pki.certificateToPem(certObj.cert)
}))
}
});
Chapter4 创建 fake https server 时并不需要 SNICallback 这一步
代码中已经用当前服务器名称的 key 和 cert 启动了一个 https 服务器,直接 listen 绑定一个端口返回即可。
SNICallback 是主要为了支持虚拟主机提供支持,可以使一个 IP 针对不同的 servername 同时部署多个证书。
如果中间人是一个固定的端口,这样可以使用 SNICallback,在此回调函数中处理不同域名的证书逻辑,这样做的好处是中间人服务器仅需绑定一个端口。
Why use res.writeHead(proxyRes.statusCode);
既然已经使用proxyRes.pipe(res)了,为什么还要在前面加个res.writeHead(proxyRes.statusCode);呢?
chapter4
hello,我试着跑了一个chapter4的代码,碰到了以前错误,请问是什么情况?
CONNECT v10.events.data.microsoft.com:443
_tls_common.js:61
throw new ERR_INVALID_ARG_TYPE(
^
TypeError [ERR_INVALID_ARG_TYPE]: The "options.cert" property must be one of type string, Buffer, TypedArray, or DataView. Received type object
at validateKeyCert (_tls_common.js:61:11)
at Object.createSecureContext (_tls_common.js:122:7)
at Server (_tls_wrap.js:867:27)
at new Server (https.js:62:14)
at createFakeHttpsWebSite (C:\Users\Administrator\Desktop\code\https-mitm-proxy-handbook\code\chapter4\createFakeHttpsWebSite.js:41:22)
at Server.httpTunnel.on (C:\Users\Administrator\Desktop\code\https-mitm-proxy-handbook\code\chapter4\simpleHttpsProxy.js:34:3)
at Server.emit (events.js:182:13)
at onParserExecuteCommon (_http_server.js:535:14)
at onParserExecute (_http_server.js:482:3)
在44行加了打印,并没有打印出来
SNICallback: (hostname, done) => {
console.log(123)
let certObj = createFakeCertificateByDomain(caKey, caCert, hostname)
console.log(certObj);
我run在windows环境上
$ node -v
v10.8.0
FakeServer似乎没反应
我启动了一下Chapter4,有连接请求,但这个fakeServer.on('request'似乎没有任何反应:
fakeServer.on('request', (req, res) => {
// 解析客户端请求
var urlObject = url.parse(req.url);
let options = {
protocol: 'https:',
hostname: req.headers.host.split(':')[0],
method: req.method,
port: req.headers.host.split(':')[1] || 80,
path: urlObject.path,
headers: req.headers
};
res.writeHead(200, { 'Content-Type': 'text/html;charset=utf-8'});
res.write(`<html><body>我是伪造的: ${options.protocol}//${options.hostname} 站点</body></html>`)
res.end();
console.log(req.headers);
});
fakeServer.on('error', (e) => {
console.error(e);
});简易HTTPS中间人代理启动成功,端口:6789
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT stupad.okjiaoyu.cn:443
CONNECT stupad.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
https-mitm-proxy-handbook/doc/Chapter3.md
https-mitm-proxy-handbook/doc/Chapter3.md
是否能加个 OpenSSL 的演示代码呢 ?网上很少正确而且完整的示例。谢谢!
目标服务器,这里要用代理连接,怎么做?
第2节跑得通,第4节请求没发出去的样子??
第2节跑得通,第4节请求没发出去的样子??
为什么要createFakeHttpsWebSite呢?
为什么要createFakeHttpsWebSite呢?
浏览器在发送 HTTPS 请求的时候会校验证书和域名是否匹配
所以要创建一个假的服务,这个服务所使用的证书的域名就是所代理的域名?
比如一个支持拦截 https 的代理
我请求 a.com 的时候 创建一个假的 https 服务,这个证书对应的域名是a.com
然后这个假的 https 服务再做一些处理,返回响应给浏览器?这样做到的 https 拦截?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.