Article delegate-en/3748 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3747@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: passing original url as parameter for redirected webpage
02 Jun 2007 02:19:24 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A3747@delegate-en.ML_> on 06/02/07(05:45:15)
you "Robert van Leiden" <ptyhabdyi-pswtoc72mstr.ml@ml.delegate.org> wrote:
 |Unfortunately the "Security alert" dialog pops up when the browser
 |detects the mitm delegate does not have the right certificate for the
 |requested https site. Because the requested https site can be quite
 |random it would be hard to produce a valid certificate. I (think I)
 |understand why this is -by design- and inherent to security.

Of course.
Any trial to peep the content of the communication encrypted by SSL
MUST be detected by the client as the Man-In-The-Middle attack (MITM).
Otherwise we can trust SSL to be secure.

 |But having such a prompt will produce questions for users, so it would
 |be desired to prevent the dialog box. Another approach to reach my
 |goal is not using the "moved" parameter for the MOUNT. In case of http
 |I could then directly direct the request to the webserver where I
 |could get the original url by using the "location.href" property.

I don't understand your goal.  Even if DeleGate forwards a HTTPS/SSL
request without doing MITM, to another (proxy) server (which is not
the target server and) which will do MITM, anyway it MUST be detected
by the client as a MITM and warned with "Security alert".

Without detected as a MITM, no one except the target HTTPS/SSL server
can see any content of request and response on it, including the
"original url".

 |For http this works fine, but for https the redirection fails
 |(probably due to the CONNECT instead of the GET).
 |Do you have any idea how to redirect the https requests to the website
 |ln the same way as the http requests?

"GET" method is a part of content to be encrypted and must not be peeped.
HTTPS/SSL can be forwarded by a proxy (SSL tunnel) which is given only
circuit level information about the target server (host and port in
CONNECT).  The proxy relays the connection but does not know what is
relayed (HTTP messageds encrypted in SSL) on it.

DeleGate can forward CONNECT request for HTTPS/SSL to another proxy as
follows (and without STLS=mitm option):

  SSLTUNNEL=proxyhost:proxyport:https

but it will not be useful for you if you need to peep (and rewrite) the
content of HTTPS/SSL.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

In message <_A3742@delegate-en.ML_> on 05/31/07(07:07:48)
you "Robert van Leiden" <ptyhabdyi-pswtoc72mstr.ml@ml.delegate.org> wrote:
 |- Delegate should forward the original url (full path!) as parameter
 |to a redirected web page. (In this web page further processing takes
 |place based on the parameter (url) supplied)
 |(e.g. redirect to
 |http://webserver.mysite.com:8081/ProcessURL.asp?<original URL>)
 |
 |I've managed to implement this for http requests using the following commands:
 |-----------------------------
 |ADMIN=a@b..
 |-P8080
 |SERVER=http
 |MOUNT=* http://webserver.mysite.com:8081/ProcessURL.asp?* moved

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V