I have a use case where I would like to connect to a proxy server with HTTP, but the underlying request is actually a GET with HTTPS. I have been reading When should one use CONNECT and GET HTTP methods at HTTP Proxy Server?, but I think i need some clarification. Since the underlying request is HTTPS does this mean when I "connect" to my proxy server it will automatically open a CONNECT and just pass through my HTTPS request? My main concern is if I use HTTP to connect to my proxy server, then the underlying HTTPS request is somehow exposed until it hits the proxy server. Thanks in advance.
Asked
Active
Viewed 4,650 times
4
Michael
- 283
- 1
- 3
- 15
1 Answers
8
Yes, whatever your browser says inside a https session is encrypted before, during, and after it passes through a proxy. No, it is not exposed to a proxy. For a proxy, the HTTP CONNECT means just "copy raw bytes around without any interpretation". The proxy does see in plain text the part of url that is in caps here: HTTPS://EXAMPLE.COM:9443/secret/place. It doesn't see the rest of url or anything else; doesn't see headers or data. (If a proxy is really intrusive and decrypts and re-encrypts your session it is visible via a certificate. Your browser would need to be compromised to trust a man-in-the-middle certificate. Uncompromised browser quite visibly warns you.)
Practically, using http only between a browser and a proxy is presently the most popular way of proxying.
kubanczyk
- 5,184
- 1
- 41
- 52