第四节:一个简易的HTTPS代理

结合前3节的内容,下面实现一个简易的HTTPS代理。

在第二节了解了一个HTTPS请求的代理过程,在建立链接的第一步是一个HTTP CONNECT请求,在这一步可以获得客户端请求目标网站的域名(这么说不是很准确,具体可看看SNI)。用预先安装好的CA证书和密钥,生成对应域名的子证书。这个过程其实就是一个HTTPS代理的核心步骤。

获取https所请求的域名

  2. const http = require('http');
  3. const url = require('url');
  4. const net = require('net');
  5. const createFakeHttpsWebSite = require('./createFakeHttpsWebSite')
  7. let httpTunnel = new http.Server();
  8. // 启动端口
  9. let port = 6789;
  11. httpTunnel.listen(port, () => {
  12.     console.log(`简易HTTPS中间人代理启动成功,端口:${port}`);
  13. });
  15. httpTunnel.on('error', (e) => {
  16.     if (e.code == 'EADDRINUSE') {
  17.         console.error('HTTP中间人代理启动失败!!');
  18.         console.error(`端口:${port},已被占用。`);
  19.     } else {
  20.         console.error(e);
  21.     }
  22. });
  24. // https的请求通过http隧道方式转发
  25. httpTunnel.on('connect', (req, cltSocket, head) => {
  26.   // connect to an origin server
  27.   var srvUrl = url.parse(`http://${req.url}`);
  29.   console.log(`CONNECT ${srvUrl.hostname}:${srvUrl.port}`);
  31.   // 根据域名生成对应的https服务
  32.   createFakeHttpsWebSite(srvUrl.hostname, (port) => {
  33.       var srvSocket = net.connect(port, '127.0.0.1', () => {
  35.         cltSocket.write('HTTP/1.1 200 Connection Established\r\n' +
  36.                         'Proxy-agent: MITM-proxy\r\n' +
  37.                         '\r\n');
  38.         srvSocket.write(head);
  39.         srvSocket.pipe(cltSocket);
  40.         cltSocket.pipe(srvSocket);
  41.       });
  42.       srvSocket.on('error', (e) => {
  43.           console.error(e);
  44.       });
  45.   })
  46. });

伪造一个https服务站点

  1. /**
  2.  * 根据域名生成一个伪造的https服务
  3.  * @param  {[type]} domain     [description]
  4.  * @param  {[type]} successFun [description]
  5.  * @return {[type]}            [description]
  6.  */
  7. function createFakeHttpsWebSite(domain, successFun) {
  9.     const fakeCertObj = createFakeCertificateByDomain(caKey, caCert, domain)
  10.     var fakeServer = new https.Server({
  11.         key: fakeCertObj.key,
  12.         cert: fakeCertObj.cert,
  13.         SNICallback: (hostname, done) => {
  14.             let certObj = createFakeCertificateByDomain(caKey, caCert, hostname)
  15.             done(null, tls.createSecureContext({
  16.                 key: pki.privateKeyToPem(certObj.key),
  17.                 cert: pki.certificateToPem(certObj.cert)
  18.             }))
  19.         }
  20.     });
  22.     fakeServer.listen(0, () => {
  23.         var address = fakeServer.address();
  24.         successFun(address.port);
  25.     });
  26.     fakeServer.on('request', (req, res) => {
  28.         // 解析客户端请求
  29.         var urlObject = url.parse(req.url);
  30.         let options =  {
  31.             protocol: 'https:',
  32.             hostname: req.headers.host.split(':')[0],
  33.             method: req.method,
  34.             port: req.headers.host.split(':')[1] || 80,
  35.             path: urlObject.path,
  36.             headers: req.headers
  37.         };
  38.         res.writeHead(200, { 'Content-Type': 'text/html;charset=utf-8'});
  39.         res.write(`<html><body>我是伪造的: ${options.protocol}//${options.hostname} 站点</body></html>`)
  40.         res.end();
  41.     });
  42.     fakeServer.on('error', (e) => {
  43.         console.error(e);
  44.     });
  46. }
  48. /**
  49.  * 根据所给域名生成对应证书
  50.  * @param  {[type]} caKey  [description]
  51.  * @param  {[type]} caCert [description]
  52.  * @param  {[type]} domain [description]
  53.  * @return {[type]}        [description]
  54.  */
  55. function createFakeCertificateByDomain(caKey, caCert, domain) {
  56.     var keys = pki.rsa.generateKeyPair(2046);
  57.     var cert = pki.createCertificate();
  58.     cert.publicKey = keys.publicKey;
  60.     cert.serialNumber = (new Date()).getTime()+'';
  61.     cert.validity.notBefore = new Date();
  62.     cert.validity.notBefore.setFullYear(cert.validity.notBefore.getFullYear() - 1);
  63.     cert.validity.notAfter = new Date();
  64.     cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 1);
  65.     var attrs = [{
  66.       name: 'commonName',
  67.       value: domain
  68.     }, {
  69.       name: 'countryName',
  70.       value: 'CN'
  71.     }, {
  72.       shortName: 'ST',
  73.       value: 'GuangDong'
  74.     }, {
  75.       name: 'localityName',
  76.       value: 'ShengZhen'
  77.     }, {
  78.       name: 'organizationName',
  79.       value: 'https-mitm-proxy-handbook'
  80.     }, {
  81.       shortName: 'OU',
  82.       value: 'https://github.com/wuchangming/https-mitm-proxy-handbook'
  83.     }];
  85.     cert.setIssuer(caCert.subject.attributes);
  86.     cert.setSubject(attrs);
  88.     cert.setExtensions([{
  89.         name: 'basicConstraints',
  90.         critical: true,
  91.         cA: false
  92.     },
  93.     {
  94.         name: 'keyUsage',
  95.         critical: true,
  96.         digitalSignature: true,
  97.         contentCommitment: true,
  98.         keyEncipherment: true,
  99.         dataEncipherment: true,
  100.         keyAgreement: true,
  101.         keyCertSign: true,
  102.         cRLSign: true,
  103.         encipherOnly: true,
  104.         decipherOnly: true
  105.     },
  106.     {
  107.         name: 'subjectAltName',
  108.         altNames: [{
  109.           type: 2,
  110.           value: domain
  111.         }]
  112.     },
  113.     {
  114.         name: 'subjectKeyIdentifier'
  115.     },
  116.     {
  117.         name: 'extKeyUsage',
  118.         serverAuth: true,
  119.         clientAuth: true,
  120.         codeSigning: true,
  121.         emailProtection: true,
  122.         timeStamping: true
  123.     },
  124.     {
  125.         name:'authorityKeyIdentifier'
  126.     }]);
  127.     cert.sign(caKey, forge.md.sha256.create());
  129.     return {
  130.         key: keys.privateKey,
  131.         cert: cert
  132.     };
  133. }

完整源码:[../code/chapter4]

npm script运行方式

  1. npm run simpleHttpsProxy

这样一个简易的HTTPS代理就完成了。
第四节:一个简易的HTTPS代理 - 图1

第五节:总结