wheever / proxhttpsproxymii Goto Github PK

Trying to register on https://www.prxbx.com/forums/member.php makes the browser throw a Content Encoding Error preventing new user registration.
The error occurs on clicking "I Agree" at https://www.prxbx.com/forums/member.php?action=register

The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

Please contact the website owners to inform them of this problem.

Tested with the latest Firefox, IE and Chrome.

Reading https://www.prxbx.com/forums/showthread.php?tid=2191 I found there is updated package https://www.prxbx.com/forums/attachment.php?aid=1029 which among other changes also has the most recent cacert.pem files required for application to work properly. It is equal to the one that can be fetched with https://raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl which still needs http://cacerts.thawte.com/ThawteRSACA2018.crt at it is still not part of the package
Would You add those the repo for easier package deployment?

Is it planned?

user.filter

CLIENT-HEADER-TAGGER: tagger4https
s@^.*Tagged:.*ProxHTTPSProxyMII.*FrontProxy.*$@$0@i

user.action

{ +client-header-tagger{tagger4https} }
/

{+forward-override{forward 127.0.0.1:8081}}
TAG:.*?ProxHTTPSProxyMII

Hi there, your script works flawlessly on https sites. Kudos to you.
However, SNI is not implemented yet so it leads to many certificates error now. I'm curious if you will implement SNI eventually?
Thanks in advance!

I used the Heinoganda build of ProxHTTPSProxyMII 1.5, and tested at https://revoked.badssl.com/ however the proxy loaded the site without any errors. When the proxy is disabled the web browser displays a warning message and blocks the site.

Please consider adding revocation checks to reduce the security impact of this proxy.

Does ProxHTTPSProxyMII support transparent proxy interception? If not, could this be added?

I've setup iptables using TPROXY like one would with Squid but ProxHTTPSProxyMII does not see traffic.

iptables-save -c shows that traffic is indeed intercepted and apparently sent to the port ProxHTTPSProxyMII is listening on (8079) but the console does not show it and the browser times out.

[825:80665] -A PREROUTING -p tcp -m socket -j DIVERT
[280:16800] -A PREROUTING -p tcp -m tcp --dport 443 -j TPROXY --on-port 8079 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
[825:80665] -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
[825:80665] -A DIVERT -j ACCEPT

Configuring the browser to talk HTTPS to ProxHTTPSProxyMII directly works as expected with Privoxy in the middle.

From: https://www.kernel.org/doc/Documentation/networking/tproxy.txt

Because of certain restrictions in the IPv4 routing output code you'll have to
modify your application to allow it to send datagrams _from_ non-local IP
addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket
option before calling bind:

fd = socket(AF_INET, SOCK_STREAM, 0);
/* - 8< -*/
int value = 1;
setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
/* - 8< -*/
name.sin_family = AF_INET;
name.sin_port = htons(0xCAFE);
name.sin_addr.s_addr = htonl(0xDEADBEEF);
bind(fd, &name, sizeof(name));

A trivial patch for netcat is available here:
http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch

Please see http://wiki.squid-cache.org/Features/Tproxy4
Here's a discussion about achieving it with Python via UDP tho - http://www.unknownerror.org/opensource/suin/iptables/q/stackoverflow/10038727/python-iptables-capturing-all-udp-packets-and-their-original-destination
Another example - https://github.com/micolous/tollgate/blob/master/tollgate/captive_landing/tproxy.py

It would be nice if the RAM usage could be reduced to 20-30 MB.

Firefox 50 (Beta 4) shows [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600) when trying to view Yahoo.com, etc. with the latest version of it and Proxomitron properly configured. How do I fix it?

Hello. Will this work with Squid to cache https traffic?
Has anybody tried that?