HTTP proxy
A HTTP proxy can handle both HTTP request and HTTPS request, but in different ways.
handle HTTP request
It handles HTTP request by reading the client's request and make a new request to the target and return the response to the client.
handle HTTPs request
As for HTTPS request, it's dealt with a HTTP Tunnel. You can access HTTPS services via the HTTP proxy whilst still getting full SSL/TLS security.
HTTPS uses SSL/TLS which by design ensures end-to-end security by establishing a secure communication channel over an insecure one. If the HTTP proxy is able to see the contents, then it's a man-in-the-middle eavesdropper and this defeats the goal of SSL/TLS. So there must be some tricks being played if we want to proxy through a plain HTTP proxy.
The trick is, we turn an HTTP proxy into a TCP proxy with a special command named CONNECT. In CONNECT mode the proxy works at the transport layer:
- When your client make a request via the http proxy to an HTTPS endpoint, your client should transparently issue a
CONNECTrequest to the http proxy rather than a basicGETorPOSTrequest. - On receipt of this
CONNECTrequest the http proxy will open a tunnel between your client and the endpoint, allowing your client to negotiate a standard SSL session with the endpoint. - Once negotiated all traffic sent between your client and the endpoint will be encrypted as if you had connected directly with them.
There is also an insecure way of doing so, in which the HTTP proxy becomes a man-in-the-middle. It receives the client-initiated connection, and then initiate another connection to the real server. In a well implemented SSL/TLS, the client will be notified that the proxy is not the real server. So the client has to trust the proxy by ignoring the warning for things to work. After that, the proxy simply decrypts data from one connection, reencrypts and feeds it into the other.
HTTPS proxy
The problem in HTTP proxy is that, CONNECT request is plain text, so firewalls can see what host I want to connect to and cut the connection. So I was thinking whether I can use https to talk to the proxy server from the very beginning. That's what HTTPS proxy do.
The HTTPS proxy (also called SSL Proxy) works similarly to the HTTP proxy but differs in that it establishes secure connections between brower and itself. HTTPS proxies encrypt all web traffic using the HTTPS protocol.
In other words, a HTTPS proxy server is nothing different from a HTTP proxy server, except that with HTTPS proxy, brower to proxy server connection is encrypted.
refer to https://stackoverflow.com/questions/56981993/https-proxy-server-only-works-in-switchomega
SOCKS proxy
Finally, we can certainly proxy HTTPS requests through a SOCKS proxy, because the SOCKS proxy works at a lower level. You may think a SOCKS proxy as both a TCP and a UDP proxy. Most importantly, SOCKS proxies work on any kind of network protocol on any port.
SOCKS is client/server mode
SOCKS is client/server mode. A users’ workstation must have a SOCKS client installed, either in the application (such as putty, Firefox, ChromeSwitchOmega), or deep in the system TCP/IP stack.
When using a SOCKS proxy(to your workstation as SOCKS client, it acts as a SOCKS server), your workstation establishes a SOCKS connection with the proxy(server) under SOCKS protocol, and sends all outgoing internet traffic through the server.
SOCKS protocol
协议目的
The SOCKS protocol is a networking protocol, used to route internet traffic through a SOCKS proxy server.
协议所在OSI层次
The protocol operates at the transport layer (Layer 5, Layer session,会话层) of the OSI model.
协议是否加密
SOCKS协议本身不提供加密。Since SOCKS is very detectable, a common approach is to present a SOCKS interface for more sophisticated protocols
从上文【Socks server traffic】图中可以看到,从SOCKS client发往SOCKS server的packet都是明文的
协议约定的client/server交互过程
Under the SOCKS protocol, the client communicates with the SOCKS server using a set of standard SOCKS protocol messages. Here are the basic steps for a client to communicate with a SOCKS server under the SOCKS protocol:
client与SOCKS server建立传输层连接。The client establishes a TCP connection with the SOCKS server. 客户端首先和代理服务器进行三次握手建立连接
-
client与SOCKS server建立会话层连接。If authentication is required, the SOCKS server prompts the client for credentials and authenticates the client.
- Client sends a greeting, which includes a list of authentication methods supported through the TCP connection established above.
- Server chooses one of the methods (or sends a failure response if none of them are acceptable).
- Several messages may now pass between the client and the server, depending on the authentication method chosen.
client请求server提供代理。The client sends a
CONNECTrequest message, specifying the destination address(DSTPORT) and port number(DSTIP) for the data to be transmitted.The SOCKS server processes the request message and response a granted message to client. From this point onwards, a TCP connection between SOCKS server and the destination server is established, any data sent from the SOCKS client to the SOCKS server is relayed to DSTIP:DSTPORT, and vice versa.
This means that your online activity is masked and appears to be coming from the proxy server rather than your device's IP address.Once the connection is established, the SOCKS server relays the data packets between the client and the destination server, acting as a middleman between the two.
发往destination server的data,从client - proxy的tcp连接横跳到proxy - destination server的tcp连接;
发回client的data,从proxy - destination server的tcp连接横跳到client - proxy的tcp连接The client can send additional request messages to the SOCKS server to modify the connection or request various features such as encryption or remote DNS resolution.
When the communication session is complete, the client sends a termination message to the SOCKS server to end the connection.
refer to
https://zhuanlan.zhihu.com/p/458173597?utm_medium=social&utm_oi=867832049359265792&utm_psn=1640333717142032384&utm_source=wechat_session&utm_id=0
https://datatracker.ietf.org/doc/html/rfc1928
socks proxy via http proxy
