为本地 HTTP/2 代理生成证书
Generating a Certificate for Local HTTP/2 Proxy
我试图让 Firefox 每晚使用安全的 HTTP/2 代理,但它拒绝接受自签名证书。
代理由 nghttp2 作为 HTTP/2 前端和一个简单的 Twisted 代理作为后端组成。 Twisted 代码来自 https://wiki.python.org/moin/Twisted-Examples 并作为 HTTP/1.1 代理独立运行。使用
调用 nghttp2
nghttpx -s -flocalhost,8443 -b127.0.0.1,8080 server.pem server.pem -L INFO
Firefox 将其用作 https://nghttp2.org/documentation/nghttpx-howto.html#http-2-proxy-mode 中指定的代理。
我使用
为本地主机创建了 server.pem
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
当我尝试通过代理加载像 http://www.something.com 这样的通用网站时,Firefox 会显示 "This Connection is Untrusted" 警告。但是,如果我告诉它添加并存储异常,它只会再次发出警告。据我所知,它永远不会通过 nghttp2 前端到达 Twisted 代理。
我是否应该为安全代理认证做一些不同的事情?除了 nghttp2 声明 "Please note that both Firefox nightly and Chromium require valid certificate for secure proxy."
之外,我在网上找不到太多内容
Patrick McManus 在 Firefox bugzilla a while ago 中几乎完全回答了这个问题 - 原因是 Firefox 中仍然缺少 UI:
You can do a TOFU exception for the proxy case, but you have to do it
a little differently.
turn off the proxy use in firefox.
put https://PROXYNAME:PROXYPORT/ in the location bar (use the same name and port number as you have configured in the PAC - you can't use
ip addresses or default ports.. you can't use ip addresses because
they can't be verified by the PKI and exceptions are stored per port.
- override the cert warning and perm. store the exception. The response you get will be meaningless as you are now addressing the
proxy port as if it was an endpoint
- turn the proxy back on and use it.
我试图让 Firefox 每晚使用安全的 HTTP/2 代理,但它拒绝接受自签名证书。
代理由 nghttp2 作为 HTTP/2 前端和一个简单的 Twisted 代理作为后端组成。 Twisted 代码来自 https://wiki.python.org/moin/Twisted-Examples 并作为 HTTP/1.1 代理独立运行。使用
调用 nghttp2nghttpx -s -flocalhost,8443 -b127.0.0.1,8080 server.pem server.pem -L INFO
Firefox 将其用作 https://nghttp2.org/documentation/nghttpx-howto.html#http-2-proxy-mode 中指定的代理。
我使用
为本地主机创建了 server.pemopenssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
当我尝试通过代理加载像 http://www.something.com 这样的通用网站时,Firefox 会显示 "This Connection is Untrusted" 警告。但是,如果我告诉它添加并存储异常,它只会再次发出警告。据我所知,它永远不会通过 nghttp2 前端到达 Twisted 代理。
我是否应该为安全代理认证做一些不同的事情?除了 nghttp2 声明 "Please note that both Firefox nightly and Chromium require valid certificate for secure proxy."
之外,我在网上找不到太多内容Patrick McManus 在 Firefox bugzilla a while ago 中几乎完全回答了这个问题 - 原因是 Firefox 中仍然缺少 UI:
You can do a TOFU exception for the proxy case, but you have to do it a little differently.
turn off the proxy use in firefox.
put https://PROXYNAME:PROXYPORT/ in the location bar (use the same name and port number as you have configured in the PAC - you can't use ip addresses or default ports.. you can't use ip addresses because they can't be verified by the PKI and exceptions are stored per port.
- override the cert warning and perm. store the exception. The response you get will be meaningless as you are now addressing the proxy port as if it was an endpoint
- turn the proxy back on and use it.