-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is it possible to authenticate/identify different users? #73
Comments
There is nothing implemented about authentication in node-http-mitm-proxy so you'll have to do it on your own. Basically, you should use Proxy Authentication which is a based on HTTP Authentication.
|
OK great thank you. I'm actually trying to have a single proxy serve multiple users. I assume I can implement cookie based session tracking in a similar way to track who's logged in etc? |
Cookie tracking may be hard to implement because cookies are per domain. So if you set a cookie when the user is on google.com, the client wont send you back when he will be on twitter.com. The only solution I see would be to synchronise cookies through a single domain, using redirects when the cookie is not present, but this is not trivial and would introduce delays. Basically:
It means 3 Redirects (may be done in 2 but risky) on each new domains. Additionally there is a few traps to avoid like
|
Eek, that sounds pretty bad. I guess I can make a unique subdomain for each proxy user, which is created only after they authenticate but then used thereafter. |
But actually I'm not even sure how to get the URL used for the proxy in any of the request callbacks. |
You can have a single fake domain for the cookie synchronisation. The value of the cookie identify your users. proxy.onRequest(function(ctx, callback) {
var trackingCookie = ctx.clientToProxyRequest.headers['cookies']['my-proxy-tracking-cookie'];
if (ctx.clientToProxyRequest.headers.host === "myproxysyncdomain.com") {
var targetUrl = // TODO : extract targetUrl from query string
var responseHeaders = {};
if (!trackingCookie) {
trackingCookie = // TODO : generate a unique identifier for the session
responseHeaders['Set-Cookie'] = 'my-proxy-tracking-cookie=' + trackingCookie
}
responseHeaders['Location'] = targetUrl.host + '/myproxy-set-tracking-cookie?trackingCookie='+trackingCookie+'&targetUrl='+targetUrl; // TODO: encode for url instead of simply concatenating
ctx.clientToProxyResponse.writeHead(302, responseHeaders);
response.end();
return ; // Don't call callback
}
if (ctx.clientToProxyRequest.url.indexOf('/myproxy-set-tracking-cookie') === 0) {
var targetUrl = // TODO : extract targetUrl from query string
var trackingCookie = // TODO : extract trackingCookie from query string
ctx.clientToProxyResponse.writeHead(302, {
'Set-Cookie' : 'my-proxy-tracking-cookie=' + trackingCookie,
'Location' : targetUrl
});
response.end();
return ; // Don't call callback
}
if (!trackingCookie) {
var currentUrl = // TODO : resolve absolute request url from isSSL + host + url (see examples)
ctx.clientToProxyResponse.writeHead(302, {
'Location' : "http://myproxysyncdomain.com/?targetUrl="+currentUrl // TODO: encode for url instead of simply concatenating
});
response.end();
return ; // Don't call callback
}
// Here you have a trackingCookie set, do your normal job
// TODO: remove the tracking cookie from ctx.proxyToServerRequestOptions.headers
// and forward
callback();
}); |
Here an example of the process:
|
OK very interesting. The other approach I'm considering is simply to provide each user a unique proxy address. Something like |
I you use proxy basic auth (like suggested in #73 (comment)), you would probably have the |
Interestingly (and frustratingly) OSX and iOS does not do this but FireFox will, so it seams implementation of the spec is not consistent. It looks like I'll need a mixed strategy, possibly using your excellent cookie based approach along with a URL based identifier. Do you know where I might see what host/URL is being used for the current proxy request? Thanks again for all your help! |
This means that the first request wont have the
But if you send a 407 error with a Firefox or any other clients probably do the same because there is several syntax for the value of Normally, the client should ask for proxy credentials only once and save it for next proxy authentication requests. |
Not sure it is possible. |
What's the recommended way to do authentication to the proxy?
The text was updated successfully, but these errors were encountered: