Handling mangled server names

Marc de Bruin marc at debruin.org
Sun Nov 14 22:54:45 MSK 2010


Lo,

At work, we have a perfectly functioning proxy server, which I don't trust. :-/ So I wanted to use my home infrastructure in a transparent way (e.g., no SSH port forwarding) to allow me just to use my browser to get http pages via https. Sort of a chained proxy.

I came up with the following, working, configuration:

	server {
		listen		999 ssl;
		server_name	~^(?<mangled>.+)\.ubergurus\.eu$;

		set $website $mangled;
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		if ($website ~* (.*)_(.*)) { set $website $1.$2; }
		
		ssl_certificate		/opt/etc/nginx/ssl_ubergurus.eu/wildcard.ubergurus.eu.crt;
		ssl_certificate_key	/opt/etc/nginx/ssl_ubergurus.eu/wildcard.ubergurus.eu.key;
		ssl_crl 		/opt/etc/nginx/ssl_ubergurus.eu/crl.pem;
		ssl_client_certificate	/opt/etc/nginx/ssl_ubergurus.eu/ca.crt;
		ssl_verify_client	on;
		
		location / {
			proxy_set_header	Host	$website;
			rewrite			^(.*)$	$website$request_uri	break;
			proxy_pass		http://$website;
		}
	}

At home, 443 forwards to 999.

At work, I'm now able to get e.g. https://www_ns_nl.ubergurus.eu/ which results, after two-sided SSL being setup, in a http//www.ns.nl get at home, and tunneling the result back to work. Of course still the URL shows up in the work's proxy log, put no content. The server certificate is a self-signed wildcard certificate for *.ubergurus.eu, so any mangled site would work, as long as it doesn't contain the 'dot'-char.

A few questions came up during this invention:
- Repeating the if line 10 times allows 10 levels of _-chars, meaning 10 subdomains. Is there a better way to accomplish this?
- Some sites contain absolute URL's within the content (e.g. the <A HREF=""> tag and <IMG > tag), which aren't rewritten back to https://*.ubergurus.eu. This causes leakage at the work site. Is there a quick way to add that?
- Any ideas about a better mangling scheme to further obfuscate the destination website from the proxy log?

Or am I just being crazy here... ;-)

Tnx,
Marc.

PS: Great piece of software, nginx!


More information about the nginx mailing list