7

I want to make Chrome use SSL for all outgoing requests to a proxy (which I control). The proxy can accept a plain HTTPS connection (as a transparent proxy), and it also supports a non-encrypted HTTP connection inside which the client can do HTTP CONNECT and then negotiate SSL.

However, Chrome only uses HTTP CONNECT for https urls. When I open an http url, chrome sends a HTTP GET to the proxy instead of HTTP CONNECT. This happens even if I use a PAC script that returns "HTTPS host:port" for both http and https urls. And I can't make chrome use ordinary HTTPS at all when connecting to the proxy.

My goal is to protect the traffic between the browser and the proxy from passive network listeners, including hiding any proxy authentication tokens passed in HTTP headers. How can I accomplish this?

Improve this question
4
  • Serious Chrome uses HTTP CONNECT for https requests? Isn't direct request used instead?
    – Pacerier
    Commented Oct 27, 2017 at 17:52
  • Please clarify "..inside which the client can do HTTP CONNECT and then negotiate SSL". Can't understand—
    – Pacerier
    Commented Oct 27, 2017 at 17:54
  • Just a hint for future visitors: By combing a proxy with a VPN connection, you can achieve “split tunneling” where just browser traffic is directed through the VPN connection.
    – Daniel B
    Commented Oct 27, 2017 at 18:05
  • wiki.squid-cache.org/Features/…
    – Irfan Latif
    Commented Oct 14, 2019 at 0:31

3 Answers 3

Reset to default
3

My goal is to protect the traffic between the browser and the proxy from passive network listeners, including hiding any proxy authentication tokens passed in HTTP headers. How can I accomplish this?

CONNECT is not a protocol used to proxy plain HTTP connections, but it is only used to create a tunnel to some other host. HTTPS connections then create a TLS connection inside this tunnel which then provide the protection you want.

This means, that even if you could convince Chrome to create a tunnel for plain HTTP using CONNECT it would not provide the protection you expect, because it would use this tunnel with plain HTTP. The encryption is a property of HTTPS and not of the CONNECT tunnel and no encryption would be done for tunneling HTTP this way. Thus an attacker would still be able to sniff all the data you like to protect.

What you would need to have to protect the connection between Chrome and the proxy would be a VPN. But this does not protect the connection between proxy and the server. This protection can only be done if the server itself supports HTTPS.

Improve this answer
3
  • I understand that. That's why I mentioned I can also provide a transparent HTTPS proxy (with the right backend certificate). I can't tell my users to use a VPN, I need a solution supported by Chrome itself (module proxy configuration).
    – danarmak
    Commented Jan 29, 2015 at 9:08
  • If I understand you right you envision a http proxy which can be accessed by SSL. There is no support for this in current browsers and proxies, but you could build something like this with stunnel. Of course this needs a stunnel instance on each client since you want to protect the connection between client and proxy.
    – Steffen Ullrich
    Commented Jan 29, 2015 at 10:01
  • @danarmak, Wait, do you mean you want to convert all Chrome HTTP requests to HTTPS like what HTTPS EVERYWHERE does?
    – Pacerier
    Commented Oct 27, 2017 at 17:55
0

There appears to be no way to make Chrome do this.

I do want to note that the Chrome extension API's for controlling the proxy settings appears to allow for this scenario, but there is no way to achieve the equivalent configuration via manual proxy settings or a PAC script.

Improve this answer
1
  • See my answer for updates.
    – Pacerier
    Commented Oct 27, 2017 at 18:12
-2

I've not tried it before, but you can experiment with --proxy-server flag.

Improve this answer
1
  • That doesn’t do what the OP wants. It will not result in an encrypted connection between the browser and the proxy. It’s just a way to make Chrome use a specific proxy server, overriding the regular configuration source for this value.
    – Daniel B
    Commented Oct 29, 2017 at 9:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .