Principle and implementation of HTTP Proxy (II.)

In the last article, "HTTP Proxy principle and implementation (i)", I introduced two forms of HTTP proxy, and implemented an available common/tunneling Agent with Node.js. The normal agent can be used to host HTTP traffic, and the tunneling agent can be used to host any TCP traffic, including HTTP and HTTPS. Today's article describes the remainder: how to upgrade the traffic between the browser and the agent to HTTPS.

The proxy implemented in the previous article is a standard HTTP service that handles different processing for both the browser's common request and the CONNECT request. Node.js provides a highly consistent interface for creating HTTP or HTTPS servers, and it is particularly convenient to upgrade HTTP services to HTTPS, with only a little bit of preparation to do.

We know that TLS has three main features: Content encryption, identity authentication, and data integrity. The content encryption relies on the key negotiation mechanism, the data integrity relies on the MAC (Message Authentication code) verification mechanism, while the identity authentication relies on the certificate authentication mechanism. A general operating system or browser maintains a list of trusted root certificates, a certificate that is included in the list, or a certificate issued by a certificate in the list that is trusted by the client.

Certificates that provide HTTPS services can be built on their own and then manually added to the system root certificate list. However, it is not possible to require each user to manually import your certificate, so it is more common to apply to a CA (certificate Authority, certification authority) for HTTPS sites that provide services. Depending on the level of the certificate, the CA carries out different levels of authentication, verifying that the CA will use their certificate to issue the site certificate after the pass, and that the process is usually charged (with a free certificate, the recently free Let's Encrypt is also very hot, here is not much introduction). Because the certificates used by the CA are issued by a root certificate that is widely built into each system, the site certificate obtained from the CA is trusted by the vast majority of clients.

Applying for a certificate through a CA is simple, and this article uses the lazy method of issuing a certificate to facilitate demonstration. The widely used certificate is now in the X509.V3 format, and you can use the following command to create:

OpenSSL genrsa-out Private.pem 2048 OpenSSL req-new-x509-key private.pem-out public.crt-days
99999

After the second line of command runs, you need to fill out some certificate information. It is important to note that Common name must fill in the domain name or IP that will provide the HTTPS service later. For example you intend to test locally, Common Name can be filled in 127.0.0.1. After the certificate is created, add the PUBLIC.CRT to the System Trusted root certificate list. To ensure the success of the addition, you can use the browser to verify:

Then, you can change the previous Node.js code, there are not many places to change:

Jsvar http = require (' http ');
var https = require (' https ');
var fs = require (' FS ');
var net = require (' net ');

var url = require (' URL ');

    function request (Creq, cRes) {var u = url.parse (Creq.url);       
        var options = {hostname:u.hostname, port:u.port, Path:u.path,

    Method:cReq.method, headers:cReq.headers};
        var preq = http.request (options, function (pRes) {cres.writehead (Pres.statuscode, pres.headers);
    Pres.pipe (CRes);
    ). On (' Error ', function (e) {cres.end ();

    });
Creq.pipe (Preq);

    Function Connect (creq, csock) {var u = url.parse (' http://' + creq.url); var psock = Net.connect (u.port, U.hostname, function () {csock.write (' http/1.1 Connection ')
        );
    Psock.pipe (Csock);
    ). On (' Error ', function (e) {csock.end ();

    });
Csock.pipe (Psock);
var options = {Key:fs.readFileSync ('./private.pem '),    Cert:fs.readFileSync ('./public.crt ')};
 Https.createserver (Options). On (' request ', request). On (' Connect ', connect). Listen (8888, ' 0.0.0.0 ');

As you can see, this code has not changed except to replace Http.createserver with Https.createserver and increase the certificate-related configuration. This is also the beauty of the introduction of the TLS layer, the application layer does not need any changes, you can get a lot of security features.

After you run the service, you only need to set the browser's proxy to HTTPS 127.0.0.1:8888, as usual. This transformation, just the browser to the agent between the traffic upgrade to HTTPS, the agent's own logic, and service-side communication means, there is no change.

Finally, write a section node.js code verification under this HTTPS agent service:

Jsvar HTTPS = require (' https ');

var options = {
    hostname: ' 127.0.0.1 ',
    Port     : 8888,
    path     : ' imququ.com:80 ',
    method     : ' CONNECT '
};

Disable certificate validation, or the self-signed certificate cannot establish a TLS connection
Process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

var req = https.request (options);

Req.on (' Connect ', function (res, socket) {
    socket.write (' get/http/1.1\r\n ' +
                 ' host:imququ.com\r\n ' +
                 ' connection:close\r\n ' +
                 ' \ r \ n ');

    Socket.on (' Data ', function (chunk) {
        console.log (chunk.tostring ());
    });

    Socket.on (' End ', function () {
        console.log (' Sockets end. ');
    }

); Req.end ();

This code and the last section of the article The difference is only http.request replaced by the https.request, run the results exactly the same, here is not posted. All code in this article can be obtained from this warehouse: Proxy-demo.