Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RITM assumes HTTP CONNECT requests are always HTTPS #20

Open
bcoles opened this issue Dec 17, 2017 · 0 comments
Open

RITM assumes HTTP CONNECT requests are always HTTPS #20

bcoles opened this issue Dec 17, 2017 · 0 comments

Comments

@bcoles
Copy link

bcoles commented Dec 17, 2017

RITM assumes HTTP CONNECT requests indicate that the client wants to initiate a HTTPS connection. This is an unsafe assumption.

This affects clients attempting to tunnel unencrypted HTTP with the CONNECT method, as the subsequent request is forwarded as unencrypted HTTP to the SSL reverse proxy server which expects a SSL/TLS client hello rather than HTTP data.

As a result, RITM returns a generic default WEBrick::Response 200 OK to the client in response to the initial CONNECT (rather than HTTP/1.0 200 Connection established) then fails to deliver the subsequent request to the appropriate server.

Additionally, while most clients will probably accept the 200 OK, a 200 Connection Established would be more appropriate.

To reproduce this issue, use this example RITM script:

#!/usr/bin/env ruby
require 'ritm'
session = Ritm::Session.new
session.configure {
  proxy[:bind_port] = 8081
  ssl_reverse_proxy[:bind_port] = 8082
}
session.start
puts 'Hit enter to finish'
gets
session.shutdown

Proxychains

Here's an example with proxychains:

HTTP

# proxychains curl -isk http://example.com/
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-93.184.216.34:80-<><>-OK

HTTPS

# proxychains curl -isk https://example.com/
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:8081-<><>-93.184.216.34:443-<><>-OK
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/html
[... truncated for brevity ...]

cURL

Here's an example with cURL:

HTTP

# curl -isk -x http://127.0.0.1:8081 http://example.com --proxytunnel
HTTP/1.1 200 OK
Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25) OpenSSL/1.0.1e
Date: Thu, 14 Dec 2017 07:19:11 GMT
Content-Length: 0
Connection: close

HTTPS

# curl -isk -x http://127.0.0.1:8081 https://example.com --proxytunnel
HTTP/1.1 200 OK
Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25) OpenSSL/1.0.1e
Date: Thu, 14 Dec 2017 07:19:20 GMT
Content-Length: 0
Connection: close

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
[... truncated for brevity ...]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bcoles