Debugging pages under HTTPS using the Fiddler capture package

It is well known that since the advent of HTTPS technology, a very important role is to encrypt the communication content. So after the project team to implement the HTTPS transformation of the business site, the original use of Fiddler to grab the package of a better life at the end. In fact, fiddler itself is to support the capture of HTTPS requests, but also in the development environment does not support HTTPS, the HTTPS request is forwarded to the HTTP request. Let me take you into the science, just need to fiddler add a throw throw stunt, let it can in the environment of HTTPS duang up.

First, enable the Fiddler HTTPS capture feature

Open Fiddler, select Tools->fiddler Options->https, tick "Capture HTTPS connects" and "Decrypt HTTPS traffic". Click "OK" after the Fiddler will pop up a dialog asking if you want to let Windows trust Fiddler generated by the self-visa book, select "Yes", there will be some dialog box, direct "yes" or "OK".

When you set the proxy for PC browser to 127.0.0.1:8888 (fiddler default proxy), you can see the corresponding request in Fiddler by casually accessing an HTTPS website, almost the same as normal access HTTP. Reference:fiddler Here is in fact the use of a similar way of cheating in the middle, let the System trust fiddler generated by the self-visa book, then all through fiddler HTTPS request will be Fiddler "tamper" Re-use the certificate generated by Fiddler to encrypt it to achieve the purpose of listening for HTTPS.

Second, install the Fiddler certificate on the mobile phone (take iOS for example)

Connect to Fiddler on iOS using universal Wi-Fi or similar technology, and set up a proxy server. Then open the browser and enter the gateway IP (that is, set the IP address of the proxy server ip,pc) +:8888. For example, when my phone is connected to the universal Wi-Fi, the assigned gateway IP is 127.16.0.1, then directly enter in Safari http://127.16.0.1:8888 , the browser will open the following page: Click on the bottom of the page Fiddlerroot certificate, iOS opens the Install Certificate page: Click Install,ios in the top right corner to let you enter your phone's pin password. At this point, iOS may pop up a warning/warning message reminding you that the certificate you are adding cannot be verified. Ignore it and continue with the install on the upper corner to complete the installation. Once the installation certificate is complete, you can access the HTTPS address directly on iOS, and all requests are transparent to fiddler. If you need to delete a previously added certificate, simply open "Settings", "General" and "Profile" on iOS, which lists the certificates installed on the user's phone and select "Do_not_trust_ Fiddlerroot "Delete it.

Third, cheat let Nodejs directly support HTTPS

Nodejs a more mainstream architecture is to run a non-80/443 port service directly on the server, and then use the Nginx reverse proxy to provide services externally. In this way Nodejs level does not need to consider HTTPS and related technical problems, all HTTPS requests are handled by Nginx. In this case, our development environment typically does not install Nginx to handle HTTPS requests, so how do we get Nodejs to support HTTPS requests?

We know that HTTPS communication will initially send a request for connect, which will allow the server to return the certificate and related information to the browser, and the browser will not trust any data sent by the server until the information is available. So now we want to let Fiddler help me to cheat the browser, let him willingly to hand over the data.

Open the Fiddler, and find the Fiddlerscript tab in the tabs on the right (you can't find the Fiddlerscript tab http://www.telerik.com/download/fiddler/ Fiddlerscript-editor download and install), select "Onbeforerequest" from the drop-down list after go to. Here we can see a lot of ... Code, and then all without it, pull directly to the end of the Onbeforerequest method.

Fiddlerscript language JScript.NET is a JavaScript-based, long a bit like C#,editor and VB like a hybrid, in essence, and JavaScript is not very different, interested students can refer to the Fiddler (ii) SCRIPT usage this article.

Add the following code at the end of the Onbeforerequest method:

StaticfunctionOnbeforerequest(osession:session) {var hosts =' Zkd.me Develop.dog '; FiddlerApplication.Log.LogFormat ("Logger session {0}, Url: {1}, Ishttps: {2}, Port: {3}", Osession.id, Osession.fullurl, Osession.ishttps, Osession.port);if (Hosts.indexof (osession.host) >-1) {FiddlerApplication.Log.LogFormat ("Capture session {0}, Url: {1}, Ishttps: {2}, Port: {3}", Osession.id, Osession.fullurl, Osession.ishttps, Osession.port);if (Osession.httpmethodis (' CONNECT ') {FiddlerApplication.Log.LogString ( ' Create fake tunnel response '); Osession[ ' x-replywithtunnel '] =  ' Faketunnel '; return; } if (Osession.ishttps) {FiddlerApplication.Log.LogString ( Switch HTTPS to HTTP request '); Osession.fullurl = OSession.fullUrl.Replace ( "https://",  "http ://"); Osession.port = 80;} FiddlerApplication.Log.LogFormat ( "processed session {0}, Url: {1}, Ishttps: {2}, Port: {3}", Osession.id, Osession.fullurl, Osession.ishttps, Osession.port); } FiddlerApplication.Log.LogFormat ( "Logger Session {0}, Url: {1}, Ishttps: {2}, Port: {3}", Osession.id, Osession.fullurl, Osession.ishttps, osession.port);         

The domain name defined by the hosts variable is the domain name we want Fiddler to help us deceive the browser. Click on the "Save Script" in the upper left corner of the Fiddlerscript interface, and with a "drop", the configuration will take effect.

The purpose of this code is to determine if the specified domain name has a request to connect from the browser, directly return a fake response, then Fiddler will not try to let the actual responder request to respond to the connect request, but instead returned a request. After receiving this request, the browser is unaware that the server has returned the security information and happily continues to send the request. After receiving the request, the Fiddler replaces https in the URL with HTTP, the port is forced to be replaced by 80, and the actual responder to the request is sent. It is easy to see the role that Fiddler plays in this process. In short, as long as the above is not too complex this series of stunts, you can let Fiddler help us in the HTTPS environment convenient to debug, you learned?

Debugging pages under HTTPS using the Fiddler capture package