Feature: Support to https about ergo HOT 12 OPEN

I would really like to contribute to this project because I do already use it for my own applications - implementing HTTPS would be a great feature.

Do you want to generate the keypair dynamically or should the user provide them?

from ergo.

Hey @michivip I am glad you use ergo :)

I was thinking to provide the keypairs within the binary. To make easy to install. I accept suggestions also.

from ergo.

Hello @cristianoliveira ,

thanks for your fast answer!

If I got you right the user can enable HTTPS in the configuration file. If so, the self-signed certificate will be used to provide a secure HTTPS connection.

If something is wrong with my understanding please correct me. Otherwise I will implement the feature in the following days.

from ergo.

@michivip I think as a first implementation it can be a flag passed into it. Would be nice if we could manage to provide both. I think is just a matter of binding both ports 2000 (default) and 443.

from ergo.

As described in this StackOverFlow answer it is not allowed to proxy HTTPS through a PAC file. Therefore I do not think that implementation this feature is possible.

If I got you wrong please tell me.

from ergo.

@cristianoliveira, @michivip If you look into the comments you see that they say it is possible to use proxy for https connections (using CONNECT).
The issue I see however is:
Do you mean that the proxy should have an address like https://127.0.0.1:2453 for example? If so, then, although I'm not sure, I believe that the browser (or any other client for that matter) should trust the proxy.

To do that, you should add the key you use into the proxy as a trusted key(certificate) to the system, or tell each client that the certificate is trusted. This would mean that the setup scripts should also be modified. Also adding a self signed key is not the recommended approach. It is good for testing, but not for production.
To avoid this you should use an externally verified certificate (see Verisign, Comodo etc.)
Adding the key into the code is also impractical, as this would expose the private key to everyone having access to the code. It defeats the purpose.
So you would need a small script to generate a key-pair or to optionally use an existing one.
I do believe this is a good feature, but we should consider the target audience of this proxy.

Please correct me if I'm wrong or I misunderstood the issue.

If you still want to continue this, perhaps this would help you: goservervclienttls (shameless brag).

Please observe that in both examples provided by @cristianoliveira and myself, both the client and the server need access to a certificate authority (in these cases ca.crt). If you do not want to use a verified certificate, but a self signed one, than you have to provide the authority to the user of the proxy.

from ergo.

There is this method of implementation also: https://goenning.net/2017/11/08/free-and-automated-ssl-certificates-with-go/

It looks quite simple

from ergo.

Yes. It seems to fit the bill. It does use recognized certificates, so it should be ok.

from ergo.

In the tutorial of @cristianoliveira using Let´sEncrypt it says that you need your server to be publicly available. Therefore I think that this is not affordable for ergo because it is bound to the local host system. If I understood something wrong, please tell me.

from ergo.

@michivip The tutorial mentions that the server needs to be publicly available only because that is the main purpose of a web server. Otherwise you cannot reach it through DNS.
However, ergo can take advantage of the techniques explained there as long as there is an internet connection on the machine it is running on. The connection can be while ergo is in a nat, behind a firewall, and perhaps even over a proxy.
The certificates in the tutorial are used to serve web pages over https. We would need them only to certify that our proxy (ergo) is who it says it is.

from ergo.

Any chance this issue might get some love ? This tool is awesome, but all the projects I'm working on are using HTTPS. :(

from ergo.

Hey @gnutix I'm sorry for that.
I usually don't need to test locally with HTTPS, that's why this missing feature didn't get much attention :(

I still want to do it just for the sake of learning. We tried to leave all the research in this PR on how to implement it. Contributions are welcome! 😄

from ergo.