Article delegate-en/2925 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A2924@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Delegate as https proxy server
25 Apr 2005 09:12:44 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A2924@delegate-en.ML_> on 04/25/05(17:44:28) I wrote:
 |Well, SSLway has an option "sslway -st" to relay through such a CONNECT
 |request/response pair at the beginning.  With this option, you can
 |make a HTTP proxy (with SSL tunneling) work also as HTTP/HTTPS gateway.
 |
 |  ## generic proxy between HTTP servers and HTTPS clients.
 |  ## specify this as a SSL proxy of a browser then you can access any
 |  ## HTTP server "http://server" as if it is "https://server:80"
 |  -P8080
 |  SERVER=http
 |  FCL="sslway -st"
 |
 |With this proxy, you can access to arbitrary URL "http://server/path"
 |over SSL with URL "https://server:80/path".

The enclosed patch will escape the follwing problem:

 |But with this SSLway option, this proxy can be used just for such purpose
 |and become disabled for relaying usual HTTP and HTTPS as is.

To make this patch work, you need to specify the protocol name HTTP as this.

   FCL="sslway -st/http"

I know this is not a good solution for practical situation because it
inserts sslway filter for any connections in vain.
I'll improve it not to insert a unncessary SSL filter.  Such conditional
insertion of a SSL filter, including STARTTLS for HTTP, will be
controlled with STLS=-fcl parameter, in future.

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


*** dist/delegate8.11.3/filters/sslway.c	Tue Mar  1 08:47:42 2005
--- sslway.c	Mon Apr 25 18:04:38 2005
***************
*** 774,779 ****
--- 774,789 ----
  		if( fgets(buf,sizeof(buf),fc) == NULL )
  			return -1;
  		dp = wordscanX(buf,AVStr(com),sizeof(com));
+ 
+  if( xi == 0 )
+  if( proto && strcaseeq(proto,"http") )
+  if( !strcaseeq(com,"CONNECT") ){
+ 	fputs(buf,ts);
+ 	fflush(ts);
+ 	do_accSSL = 0;
+ 	ERROR(">>> DON'T accSSL for non-HTTPS client [%s]",com);
+ 	return 0;
+  }
  		wordscanX(dp,AVStr(arg),sizeof(arg));
  		ERROR("STARTTLS prologue: C-S: [%s][%s]",com,arg);
  
***************
*** 828,833 ****
--- 838,849 ----
  			if( proto == 0 ){
  				proto = "http";
  			}
+ 
+  if( dp = strchr(arg,':') )
+  if( strcmp(dp+1,"443") == 0 ){
+ 	do_accSSL = 0;
+ 	ERROR(">>> DON'T accSSL for HTTPS-server [%s]",arg);
+  }
  		}
  
  		if( do_accSTLS == 2 ){

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V