Pros and cons of using a Http proxy v/s https prox

2019-02-07 02:38发布

问题:

The JVM allows proxy properties http.proxyHost and http.proxyPort for specifying a HTTP proxy server and https.proxyHost and https.proxyPort for specifying a HTTPS proxy server .

I was wondering whether there are any advantages of using a HTTPS proxy server compared to a HTTP proxy server ?

Is accessing a https url via a HTTPS proxy less cumbersome than accesing it from a HTTP proxy ?

回答1:

HTTP proxy gets a plain-text request and [in most but not all cases] sends a different HTTP request to the remote server, then returns information to the client.

HTTPS proxy is a relayer, which receives special HTTP request (CONNECT verb) and builds an opaque tunnel to the destination server (which is not necessarily even an HTTPS server). Then the client sends SSL/TLS request to the server and they continue with SSL handshake and then with HTTPS (if requested).

As you see, these are two completely different proxy types with different behavior and different design goals. HTTPS proxy can't cache anything as it doesn't see the request sent to the server. With HTTPS proxy you have a channel to the server and the client receives and validates server's certificate (and optionally vice versa). HTTP proxy, on the other hand, sees and has control over the request it received from the client.

While HTTPS request can be sent via HTTP proxy, this is almost never done because in this scenario the proxy will validate server's certificate, but the client will be able to receive and validate only proxy's certificate, and as name in the proxy's certificate will not match the address the socket connected to, in most cases an alert will be given and SSL handshake won't succeed (I am not going into details of how to try to address this).

Finally, as HTTP proxy can look into the request, this invalidates the idea of security provided by HTTPS channel, so using HTTP proxy for HTTPS requests is normally done only for debugging purposes (again we omit cases of paranoid company security policies which require monitoring of all HtTPS traffic of company employees).

Addition: also read my answer on the similar topic here.



回答2:

There are no pros or cons. And there are no "HTTPS proxy" server.

You can tell the protocol handlers which proxy server to use for different protocols. This can be done for http, https, ftp and socks. Not more and not less.

I can't tell you if you should use a different proxy for https connections or not. It depends. I can only explain the difference of an http and https request to a proxy.

Since the HTTP Proxy (or web proxy) understands HTTP (hence the name), the client can just send the request to the proxy server instead of the actual destenation. This does not work for HTTPS. This is because the proxy can't make the TLS handshake, which happens at first. Therefore the client must send a CONNECT request to the proxy. The proxy establishes a TCP connection and just sends the packages forth and back without touching them. So the TLS handshake happens between the client and destenation. The HTTP proxy server does not see everything and does not validate destenation servers certificate whatsoever.

There can be some confusion with this whole http, https, proxy thing. It is possible to connect to a HTTP proxy with https. In this case, the communication between the client and the proxy is encrypted.

There are also so called TLS terminating or interception proxy servers like Squid's SSL Peek and Splice or burp, which see everything. But this should not work out of the box, because the proxy uses own certificates which are not signed by trusted CAs.

References

  • https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html
  • https://parsiya.net/blog/2016-07-28-thick-client-proxying---part-6-how-https-proxies-work/
  • http://dev.chromium.org/developers/design-documents/secure-web-proxy
  • https://tools.ietf.org/html/rfc2817#section-5
  • https://tools.ietf.org/html/rfc7231#section-4.3.6


标签: http https proxy