wuchangming / https-mitm-proxy-handbook Goto Github PK
View Code? Open in Web Editor NEW基于Node.js的HTTPS MITM(中间人)代理的原理和实现
License: MIT License
基于Node.js的HTTPS MITM(中间人)代理的原理和实现
License: MIT License
hello,我试着跑了一个chapter4的代码,碰到了以前错误,请问是什么情况?
CONNECT v10.events.data.microsoft.com:443
_tls_common.js:61
throw new ERR_INVALID_ARG_TYPE(
^
TypeError [ERR_INVALID_ARG_TYPE]: The "options.cert" property must be one of type string, Buffer, TypedArray, or DataView. Received type object
at validateKeyCert (_tls_common.js:61:11)
at Object.createSecureContext (_tls_common.js:122:7)
at Server (_tls_wrap.js:867:27)
at new Server (https.js:62:14)
at createFakeHttpsWebSite (C:\Users\Administrator\Desktop\code\https-mitm-proxy-handbook\code\chapter4\createFakeHttpsWebSite.js:41:22)
at Server.httpTunnel.on (C:\Users\Administrator\Desktop\code\https-mitm-proxy-handbook\code\chapter4\simpleHttpsProxy.js:34:3)
at Server.emit (events.js:182:13)
at onParserExecuteCommon (_http_server.js:535:14)
at onParserExecute (_http_server.js:482:3)
在44行加了打印,并没有打印出来
SNICallback: (hostname, done) => {
console.log(123)
let certObj = createFakeCertificateByDomain(caKey, caCert, hostname)
console.log(certObj);
我run在windows环境上
$ node -v
v10.8.0
在代码Chapter4中只实现了返回伪造的响应内容,要如何才能获取到真实请求地址的响应HTML代码呢?
如果可以希望你指点一下,非常感谢。
还有一处疑问,为什么这在SNICallback回调中又要重新再生成一次证书呢?不能直接使用上文的fakeCertObj证书吗?
var fakeServer = new https.Server({
key: fakeCertObj.key,
cert: fakeCertObj.cert,
SNICallback: (hostname, cback) => {
let certObj = createFakeCertificateByDomain(caKey, caCert, hostname);
cback(null, tls.createSecureContext({
key: pki.privateKeyToPem(certObj.key),
cert: pki.certificateToPem(certObj.cert)
}));
}
});
https-mitm-proxy-handbook/doc/Chapter3.md
是否能加个 OpenSSL 的演示代码呢 ?网上很少正确而且完整的示例。谢谢!
既然已经使用proxyRes.pipe(res)了,为什么还要在前面加个res.writeHead(proxyRes.statusCode);呢?
创建证书如果做一个文件缓存就好了,效率更高
感觉作者 我已经通过 chapter1 chapter2 chapter2 chapter4 做出了一个https抓包工具了
var fakeServer = new https.Server({
key: fakeCertObj.key,
cert: fakeCertObj.cert,
//此处代码是不是没的用? 去掉了好像也没什么问题
SNICallback: (hostname, done) => {
let certObj = createFakeCertificateByDomain(caKey, caCert, hostname)
done(null, tls.createSecureContext({
key: pki.privateKeyToPem(certObj.key),
cert: pki.certificateToPem(certObj.cert)
}))
}
});
第2节跑得通,第4节请求没发出去的样子??
我启动了一下Chapter4,有连接请求,但这个fakeServer.on('request'似乎没有任何反应:
fakeServer.on('request', (req, res) => {
// 解析客户端请求
var urlObject = url.parse(req.url);
let options = {
protocol: 'https:',
hostname: req.headers.host.split(':')[0],
method: req.method,
port: req.headers.host.split(':')[1] || 80,
path: urlObject.path,
headers: req.headers
};
res.writeHead(200, { 'Content-Type': 'text/html;charset=utf-8'});
res.write(`<html><body>我是伪造的: ${options.protocol}//${options.hostname} 站点</body></html>`)
res.end();
console.log(req.headers);
});
fakeServer.on('error', (e) => {
console.error(e);
});
简易HTTPS中间人代理启动成功,端口:6789
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT stupad.okjiaoyu.cn:443
CONNECT stupad.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
CONNECT logreport.okjiaoyu.cn:443
代码中已经用当前服务器名称的 key 和 cert 启动了一个 https 服务器,直接 listen 绑定一个端口返回即可。
SNICallback 是主要为了支持虚拟主机提供支持,可以使一个 IP 针对不同的 servername 同时部署多个证书。
如果中间人是一个固定的端口,这样可以使用 SNICallback,在此回调函数中处理不同域名的证书逻辑,这样做的好处是中间人服务器仅需绑定一个端口。
为什么要createFakeHttpsWebSite呢?
浏览器在发送 HTTPS 请求的时候会校验证书和域名是否匹配
所以要创建一个假的服务,这个服务所使用的证书的域名就是所代理的域名?
比如一个支持拦截 https 的代理
我请求 a.com 的时候 创建一个假的 https 服务,这个证书对应的域名是a.com
然后这个假的 https 服务再做一些处理,返回响应给浏览器?这样做到的 https 拦截?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.