Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS support #1

Open
kahing opened this issue May 14, 2015 · 5 comments
Open

HTTPS support #1

kahing opened this issue May 14, 2015 · 5 comments

Comments

@kahing
Copy link
Member

kahing commented May 14, 2015

it'd be good to have https support and induce chaos at the HTTPS layer
@gaul gaul changed the title https support HTTPS support Jul 25, 2015
@flandr
Copy link
Contributor

flandr commented Aug 24, 2015

What about a MITM proxy server that terminates the TLS connection at chaos-http-proxy? It would also be nice to induce HTTP errors in HTTPS sessions.

Happy to contribute, as I have an ahem need for such a thing.

@gaul
Copy link
Member

gaul commented Aug 24, 2015

Please submit a pull request. I believe you can scoop all the needed logic out of S3Proxy.

flandr added a commit to flandr/chaos-http-proxy that referenced this issue Aug 24, 2015
@flandr
Fail CONNECT methods
6ef468b 
Ideally there will be support for TLS-terminating HTTPS proxies
(see bouncestorage#1), but prior to that it's better to fail the CONNECT method w/
a 405 than to mis-compose the URL out of the request-uri component.
@flandr flandr mentioned this issue Aug 24, 2015
Closed
@flandr
Copy link
Contributor

flandr commented Aug 24, 2015

Ok, but in the meanwhile let's disable CONNECT; the URL composition logic is misinterpreting the request-uri portion of that message & it's doomed to failure anyway.

#9

gaul pushed a commit that referenced this issue Aug 25, 2015
@flandr @gaul
Fail CONNECT methods
aa2ab82 
Ideally there will be support for TLS-terminating HTTPS proxies
(see #1), but prior to that it's better to fail the CONNECT method w/
a 405 than to mis-compose the URL out of the request-uri component.
@gaul
Copy link
Member

gaul commented Dec 30, 2020

Researching this some years later, I am not sure that any HTTPS clients will work in the MITM way that I had imagined and that would be useful to Chaos HTTP Proxy. Instead it seems that they use the CONNECT verb then pass encrypted traffic between client and server:

https://stackoverflow.com/a/36171547/2800111

Perhaps it is possible to inject a different SSL certificate as long as the client disables verification?

gaul added a commit to gaul/s3fs-fuse that referenced this issue Dec 30, 2020
@gaul
Add configuration for Chaos HTTP Proxy
6789a2e 
This can find errors in retry logic.  Chaos HTTP Proxy does not
support SSL bouncestorage/chaos-http-proxy#1 so users must set
s3proxy.endpoint and run via:

CHAOS_HTTP_PROXY=1 S3_URL=http://127.0.0.1:8080 make check -C test

It can also be helpful to increase retries and reduce sleep times.
References s3fs-fuse#1504.
@gaul gaul mentioned this issue Dec 30, 2020
Merged
ggtakec pushed a commit to s3fs-fuse/s3fs-fuse that referenced this issue Jan 4, 2021
@gaul
Add configuration for Chaos HTTP Proxy (#1508)
b04bca3 
This can find errors in retry logic.  Chaos HTTP Proxy does not
support SSL bouncestorage/chaos-http-proxy#1 so users must set
s3proxy.endpoint and run via:

CHAOS_HTTP_PROXY=1 S3_URL=http://127.0.0.1:8080 make check -C test

It can also be helpful to increase retries and reduce sleep times.
References #1504.
@gaul
Copy link
Member

gaul commented Jan 14, 2021

compy shows how to do this in Go.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gaul @flandr @kahing