Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Support to https #6

Open
cristianoliveira opened this issue Aug 24, 2017 · 12 comments
Open

Feature: Support to https #6

cristianoliveira opened this issue Aug 24, 2017 · 12 comments

Comments

@cristianoliveira
Copy link
Owner

cristianoliveira commented Aug 24, 2017

It would be nice to have support to https. It will need a self-signed key.
For more examples on how to implement this, please take a look on that:

https://gist.github.com/denji/12b3a568f092ab951456

@michivip
Copy link

michivip commented Oct 2, 2017

I would really like to contribute to this project because I do already use it for my own applications - implementing HTTPS would be a great feature.

Do you want to generate the keypair dynamically or should the user provide them?

@cristianoliveira
Copy link
Owner Author

Hey @michivip I am glad you use ergo :)

I was thinking to provide the keypairs within the binary. To make easy to install. I accept suggestions also.

@michivip
Copy link

michivip commented Oct 2, 2017

Hello @cristianoliveira ,

thanks for your fast answer!

If I got you right the user can enable HTTPS in the configuration file. If so, the self-signed certificate will be used to provide a secure HTTPS connection.

If something is wrong with my understanding please correct me. Otherwise I will implement the feature in the following days.

@cristianoliveira
Copy link
Owner Author

cristianoliveira commented Oct 2, 2017

@michivip I think as a first implementation it can be a flag passed into it. Would be nice if we could manage to provide both. I think is just a matter of binding both ports 2000 (default) and 443.

@michivip
Copy link

michivip commented Oct 4, 2017

As described in this StackOverFlow answer it is not allowed to proxy HTTPS through a PAC file. Therefore I do not think that implementation this feature is possible.

If I got you wrong please tell me.

@adiclepcea
Copy link
Collaborator

adiclepcea commented Oct 4, 2017

@cristianoliveira, @michivip If you look into the comments you see that they say it is possible to use proxy for https connections (using CONNECT).
The issue I see however is:
Do you mean that the proxy should have an address like https://127.0.0.1:2453 for example? If so, then, although I'm not sure, I believe that the browser (or any other client for that matter) should trust the proxy.

To do that, you should add the key you use into the proxy as a trusted key(certificate) to the system, or tell each client that the certificate is trusted. This would mean that the setup scripts should also be modified. Also adding a self signed key is not the recommended approach. It is good for testing, but not for production.
To avoid this you should use an externally verified certificate (see Verisign, Comodo etc.)
Adding the key into the code is also impractical, as this would expose the private key to everyone having access to the code. It defeats the purpose.
So you would need a small script to generate a key-pair or to optionally use an existing one.
I do believe this is a good feature, but we should consider the target audience of this proxy.

Please correct me if I'm wrong or I misunderstood the issue.

If you still want to continue this, perhaps this would help you: goservervclienttls (shameless brag).

Please observe that in both examples provided by @cristianoliveira and myself, both the client and the server need access to a certificate authority (in these cases ca.crt). If you do not want to use a verified certificate, but a self signed one, than you have to provide the authority to the user of the proxy.

@cristianoliveira
Copy link
Owner Author

There is this method of implementation also: https://goenning.net/2017/11/08/free-and-automated-ssl-certificates-with-go/

It looks quite simple

@adiclepcea
Copy link
Collaborator

Yes. It seems to fit the bill. It does use recognized certificates, so it should be ok.

@michivip
Copy link

michivip commented Nov 8, 2017

In the tutorial of @cristianoliveira using Let´sEncrypt it says that you need your server to be publicly available. Therefore I think that this is not affordable for ergo because it is bound to the local host system. If I understood something wrong, please tell me.

@adiclepcea
Copy link
Collaborator

@michivip The tutorial mentions that the server needs to be publicly available only because that is the main purpose of a web server. Otherwise you cannot reach it through DNS.
However, ergo can take advantage of the techniques explained there as long as there is an internet connection on the machine it is running on. The connection can be while ergo is in a nat, behind a firewall, and perhaps even over a proxy.
The certificates in the tutorial are used to serve web pages over https. We would need them only to certify that our proxy (ergo) is who it says it is.

@gnutix
Copy link

gnutix commented May 18, 2021

Any chance this issue might get some love ? This tool is awesome, but all the projects I'm working on are using HTTPS. :(

@cristianoliveira
Copy link
Owner Author

Hey @gnutix I'm sorry for that.
I usually don't need to test locally with HTTPS, that's why this missing feature didn't get much attention :(

I still want to do it just for the sake of learning. We tried to leave all the research in this PR on how to implement it. Contributions are welcome! 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants