-1

I setting up a proxy server for specific sites using a DNS server, and I am seeking guidance on handling HTTPS traffic. Here's a brief overview of my setup and the challenges I'm facing:

Objective: Create a proxy server that directs clients to view Google.com through the proxy while allowing direct access to Yahoo.com. To achieve this, I have configured my DNS server to resolve Yahoo.com to its true IP address and Google.com to my proxy server's IP address (e.g., 192.168.1.1).

Current Configuration:

DNS Server: Resolves Yahoo.com to its actual IP and Google.com to my proxy server's IP.

Proxy Server (Nginx): Successfully configured as a reverse proxy for HTTP.

Challenges: I have encountered difficulties handling HTTPS traffic through my proxy server. While I can efficiently manage HTTP requests using Nginx as a reverse proxy, I am unsure about the appropriate approach for HTTPS traffic.

Questions:

  • How can I extend my current Nginx configuration to effectively handle HTTPS requests through the proxy server?

  • Are there any security considerations or best practices I should be aware of when intercepting and proxying HTTPS traffic in this manner?

I would appreciate insights, guidance, or recommendations from the community to help overcome this challenge. Thank you in advance for your time and assistance.

Best regards

Improve this question
2
  • What problem are you actually trying to solve here?
    – hardillb
    20 hours ago
  • 1
    Rather than setting up a transparent/reverse proxy and messing about with DNS & TLS , set up a regular forward proxy (with authentication) and configure your clients with for example a PAC file to select for which URL they will use the proxy or not.
    – HBruijn
    19 hours ago

2 Answers 2

Reset to default
2

You can't proxy HTTPS sites like this unless you can create your own trusted certificates for the site you are proxying.

This will require putting your own CA certificate on ALL the clients that will use the proxy.

This also assumes that the clients don't have any sort of certificate pinning enabled (iirc Chrome used to do certificate pinning for google.com, not sute if it still does).

This is basically a man in the middle attack and the sort of thing HTTPS is designed to prevent.

Improve this answer
1
  • thanks for answer , i find service that i need to run it for myself: nslookup analytics.google.com 178.22.122.100 Server: free.shecan.ir Address: 178.22.122.100 Non-authoritative answer: Name: analytics.google.com Address: 204.12.192.221 ssl certificate is valid and its same as original on
    – Pouyan Danesh
    20 hours ago
0

At last i found solution .

https://github.com/dlundquist/sniproxy

SNI Proxy

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.

Features

  • Name-based proxying of HTTPS without decrypting traffic. No keys or certificates required.
  • Supports both TLS and HTTP protocols.
  • Supports IPv4, IPv6 and Unix domain sockets for both back end servers and listeners.
  • Supports multiple listening sockets per instance.
  • Supports HAProxy proxy protocol to propagate original source address to backend servers.
Improve this answer
1
  • You can also set up nginx stream proxy.
    – Tero Kilkanen
    1 hour ago

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .