Post Reply 
Proxomitron Reborn
Aug. 10, 2018, 07:22 AM
Post: #76
RE: Proxomitron Reborn
Nice to see this orphaned jewel reborn. Smile!

[Image: certs.png]

I'm getting this warning on every secure site I visit, irrespective of what browser I use.
How to get rid of it other than adding an exception for each secure connection?

Thanks in advance!
Add Thank You Quote this message in a reply
Aug. 10, 2018, 11:42 AM
Post: #77
RE: Proxomitron Reborn
You can use this: https://www.prxbx.com/forums/forumdisplay.php?fid=48

Generating appropriately-named certs is on the list of planned features.

If anyone is wondering, I haven't forgotten --- just testing out what will be 4.5.2.0 (containing only fixes of old bugs in 4.5j, no new features) for a bit before releasing.
Add Thank You Quote this message in a reply
[-] The following 2 users say Thank You to amy for this post:
mizzmona, usr
Aug. 10, 2018, 01:48 PM
Post: #78
RE: Proxomitron Reborn
Thanks for the reply.
I'll give ProxHTTPSProxyMII a try.

(Aug. 10, 2018 11:42 AM)amy Wrote:  Generating appropriately-named certs is on the list of planned features.
These are good news.

Keep up the great work!
Add Thank You Quote this message in a reply
Aug. 13, 2018, 06:23 PM
Post: #79
RE: Proxomitron Reborn
(Jun. 28, 2018 02:33 AM)amy Wrote:  ... patches to use newer OpenSSL
I don't know if this is useful (it sounds useful, but what do I know):

mkcert A simple zero-config tool to make locally trusted development certificates with any names you'd like - downloads various platforms incl. Windows (command line) @ https://github.com/FiloSottile/mkcert
Add Thank You Quote this message in a reply
Sep. 04, 2018, 02:45 AM (This post was last modified: Sep. 05, 2018 02:50 AM by amy.)
Post: #80
Smile RE: Proxomitron Reborn
4.5.2.0 has been released! This fixes a lot of latent bugs which Scott never got around to (and some, like the multithreading ones, which wouldn't have been visible nor easily reproducible on the single-core hardware of the time), so it can be considered the first improvement release of The Proxomitron since 2003!
Quote:- Fix opening local file URLs
- Fix buffer overflow in proxy test function
- Stabilise and refine header filter ordering - URL: filters are now applied first, and also show first in the list. They are sorted respectively alphabetically.
- Clarify file URLs for opening blocklists: URL commands must be enabled to do so, and if not, a warning message is shown.
- Fix date checking for If-Modified-Since in local file requests. Original code would always respond with "not modified", possibly causing caching problems with local file replacements.
- Fix Show URL in browser for https and add option to include scheme. When adding a URL to a blocklist, the menu option to open in browser was broken for https URLs. Now that has been fixed, and a checkbox added to allow you to include the scheme (https:// or http://) when adding to the list.
- Fix unintentional sign-extension in base-64 encoding. Non-ASCII basswords and such should now encode and decode correctly.
- Fix allow IP range comparison. This was accidentally introduced in the rebuild and not in 4.5j.
- Fix duplicate load and image handle leak when loading textures
- Fix tray icon tooltip (now it says Bypassed when... bypassed)
- Fix memory leak in $STOP()
- Fix memory leak in SSLeayShutdown()
- Fix handling of FEXTRA and FHCRC for gzip format
- Fix Allow for Session certificate dialog with multiple parallel connections. It will not continue asking the same host if you have multiple parallel connections and already said Allow for Session once.
- Fix erroneous check of return value when setting OpenSSL certificate callback
- Fix header filter count decrement race condition. No more erroneous "Filters In Use" with 0 active connections
- Fix saving and restoring window sizes (for multiple-monitor users)
- Fix multithreaded OpenSSL initialisation race condition crash
- Fix positioning of context menus for multiple-monitor systems
- Various cleanup/removal of dead-ends in code.

Thanks for all the feature suggestions --- better SSL/TLS filtering support seems to be "most wanted" at the moment, but here's a list of things planned for 4.6:

- Generate and cache appropriately-named certificates (like ProxHTTPSProxyMII, but integrated)
- A way to better manage the Certificate Error exception list and make it persistent (how about in blockfile format? Wink)
- Allow local.ptron and proxy itself to be accessed via HTTPS, although I'm not sure what browsers can make use of the latter
- $REM() for comments in patterns (requested by mizzmona)
Add Thank You Quote this message in a reply
[-] The following 8 users say Thank You to amy for this post:
soccerfan, mizzmona, prxymouse, zoltan, referrer, usr, Callahan, ProxRocks
Sep. 04, 2018, 05:06 AM
Post: #81
RE: Proxomitron Reborn
Surely you clicked the wrong Post Icon? ":(" doesn't seem right!

Wow...

(Sep. 04, 2018 02:45 AM)amy Wrote:  4.5.2.0 has been released! This fixes a lot of latent bugs which Scott never got around to (and some, like the multithreading ones, which wouldn't have been visible nor easily reproducible on the single-core hardware of the time), so it can be considered the first improvement release of The Proxomitron since 2003!
Quote:- Fix opening local file URLs
- Fix buffer overflow in proxy test function
- Stabilise and refine header filter ordering - URL: filters are now applied first, and also show first in the list. They are sorted respectively alphabetically.
- Clarify file URLs for opening blocklists: URL commands must be enabled to do so, and if not, a warning message is shown.
- Fix date checking for If-Modified-Since in local file requests. Original code would always respond with "not modified", possibly causing caching problems with local file replacements.
- Fix Show URL in browser for https and add option to include scheme. When adding a URL to a blocklist, the menu option to open in browser was broken for https URLs. Now that has been fixed, and a checkbox added to allow you to include the scheme (https:// or http://) when adding to the list.
- Fix unintentional sign-extension in base-64 encoding. Non-ASCII basswords and such should now encode and decode correctly.
- Fix allow IP range comparison. This was accidentally introduced in the rebuild and not in 4.5j.
- Fix duplicate load and image handle leak when loading textures
- Fix tray icon tooltip (now it says Bypassed when... bypassed)
- Fix memory leak in $STOP()
- Fix memory leak in SSLeayShutdown()
- Fix handling of FEXTRA and FHCRC for gzip format
- Fix Allow for Session certificate dialog with multiple parallel connections. It will not continue asking the same host if you have multiple parallel connections and already said Allow for Session once.
- Fix erroneous check of return value when setting OpenSSL certificate callback
- Fix header filter count decrement race condition. No more erroneous "Filters In Use" with 0 active connections
- Fix saving and restoring window sizes (for multiple-monitor users)
- Fix multithreaded OpenSSL initialisation race condition crash
- Fix positioning of context menus for multiple-monitor systems
- Various cleanup/removal of dead-ends in code.

Thanks for all the feature suggestions --- better SSL/TLS filtering support seems to be "most wanted" at the moment, but here's a list of things planned for 4.6:

- Generate and cache appropriately-named certificates (like ProxHTTPSProxyMII, but integrated)
- A way to better manage the Certificate Error exception list and make it persistent (how about in blockfile format? Wink)
- Allow local.ptron and proxy itself to be accessed via HTTPS, although I'm not sure what browsers can make use of the latter
- $REM() for comments in patterns (requested by mizzmona)

By "proxy itself" do you mean 127.0.0.1:8080? If so there are advantages to using 127.0.0.1 instead of local.ptron.
Add Thank You Quote this message in a reply
Sep. 05, 2018, 03:10 AM
Post: #82
RE: Proxomitron Reborn
(Sep. 04, 2018 05:06 AM)JJoe Wrote:  Surely you clicked the wrong Post Icon? ":(" doesn't seem right!
You're right, I did. My mistake. Now fixed Smile!
(Sep. 04, 2018 05:06 AM)JJoe Wrote:  By "proxy itself" do you mean 127.0.0.1:8080? If so there are advantages to using 127.0.0.1 instead of local.ptron.
Maybe my notation wasn't so clear --- by "local.ptron" I mean the builtin web server, and "proxy itself" the usual 127.0.0.1:8080. The HTTPS one can't use the same port, so it'll probably be at :8443 or similar.

Currently (and since 4.5j at least) it supports a sort of weird "silent half-SSL" mode where you can connect to it on 8080 and then send it an HTTPS URL, and it then makes an encrypted connection to the site but communication between browser and proxy is still unencrypted. In other words the browser doesn't need to support HTTPS, but it can access those sites through Proxomitron. I'm not sure if any browsers do or can be configured to do this.

What I'm planning to do is add something like https://127.0.0.1:8443/ so you can serve replacement scripts etc. over HTTPS too (eliminating a bunch of security warnings/errors), but then thanks to how it was designed, you would also be able to make an encrypted connection to it and then send requests like the regular one on 8080. Once again, I don't know of any browsers that can use that capability, but nice to know it's there.
Add Thank You Quote this message in a reply
[-] The following 2 users say Thank You to amy for this post:
Callahan, usr
Sep. 26, 2018, 05:33 AM
Post: #83
RE: Proxomitron Reborn
love what you've done with proxomitron.

(Sep. 05, 2018 03:10 AM)amy Wrote:  Currently ( since 4.5j at least) it supports a sort of weird "silent half-SSL" mode where you can connect to it on 8080 and then send it an HTTPS URL, and it then makes an encrypted connection to the site but communication between browser and proxy is still unencrypted. In other words the browser doesn't need to support HTTPS, but it can access those sites through Proxomitron. I'm not sure if any browsers do or can be configured to do this.
half-SSL is kinda cool. sidki added it to his config set and I still use it that way on a browser where I can block ssl connections. There are caveats and limitations to doing this, but it's enough that I never bothered with chaining ProxHTTPSProxy to proxomitron.

When using half-ssl with proxo reborn there's a bug where the Host header contains the half-ssl proxy prefix. For example, this site's Host header appears:
Host: https-px-.www.prxbx.com

You can reproduce the bug using sidki's latest config set, sidki_2011-12-22rc1, and turning on the half-ssl filters
https://www.prxbx.com/forums/showthread.php?tid=1870
Add Thank You Quote this message in a reply
Oct. 29, 2018, 03:05 AM
Post: #84
RE: Proxomitron Reborn
I have been testing the cert generation/caching for over a month, unlike ProxHTTPSProxyMII I've chosen to cache the last 1000 certificates in memory only and not bother writing to disk --- so if you restart Proxomitron it'll generate new ones again. (I also initially tried generating a new cert every time, which wasn't noticeably slower and I might've chosen to do that if it weren't for a bug in a certain browser which causes a crash if it sees two requests for the same hostname return different certificates...) Let me know if you see any problems with doing it this way, otherwise I'll soon (within a month) release 4.6 with this and the other features listed above.
(Sep. 26, 2018 05:33 AM)rasczak Wrote:  When using half-ssl with proxo reborn there's a bug where the Host header contains the half-ssl proxy prefix. For example, this site's Host header appears:
Host: https-px-.www.prxbx.com

You can reproduce the bug using sidki's latest config set, sidki_2011-12-22rc1, and turning on the half-ssl filters
https://www.prxbx.com/forums/showthread.php?tid=1870
Will be fixed in 4.6, but if you really want to, I can add the fix to 4.5.2.0 and release 4.5.2.1 (which will only differ from .0 by this fix.) Your choice.
Add Thank You Quote this message in a reply
[-] The following 5 users say Thank You to amy for this post:
Styx, mizzmona, referrer, usr, Callahan
Oct. 29, 2018, 03:49 AM (This post was last modified: Oct. 29, 2018 03:49 AM by rasczak.)
Post: #85
RE: Proxomitron Reborn
I can wait for 4.6 Thumbs Up
Add Thank You Quote this message in a reply
Oct. 29, 2018, 03:43 PM (This post was last modified: Oct. 29, 2018 03:44 PM by mizzmona.)
Post: #86
RE: Proxomitron Reborn
I have no druthers. (I would have, but I'm just unable to devote any time to it atm.)

Looking forward to seeing 4.6 released, though! Thanks, amy!
Add Thank You Quote this message in a reply
Dec. 02, 2018, 11:29 PM
Post: #87
RE: Proxomitron Reborn
Because I was busy with other things, 4.6 will be delayed a little, but it will definitely contain the following new features:
- certificate generation with correct naming
- https for local.ptron/localhost/127.0.0.1 (on a different port)
- $REM()
- certificate error bypass pattern (similar to the current URL bypass pattern option)
Add Thank You Quote this message in a reply
[-] The following 6 users say Thank You to amy for this post:
referrer, mizzmona, usr, prxymouse, Styx, Callahan
Dec. 09, 2018, 01:49 AM (This post was last modified: Dec. 09, 2018 01:50 AM by amy.)
Post: #88
RE: Proxomitron Reborn
A little preview of what's coming Smile!

[Image: attachment.php?aid=1052]


Attached File(s)
.png  proxHTTPSconf.PNG (Size: 8.07 KB / Downloads: 611)
Add Thank You Quote this message in a reply
[-] The following 6 users say Thank You to amy for this post:
referrer, Kye-U, prxymouse, usr, mizzmona, Callahan
Dec. 10, 2018, 05:39 AM (This post was last modified: Dec. 10, 2018 12:32 PM by amy.)
Post: #89
RE: Proxomitron Reborn
4.6.0.0 has been released! This version contains the following changes:

- Add missing update of Host header after redirection
This was a bug I introduced, which managed to creep its way through all the -Reborn versions. Thanks to rasczak for spotting it!

- Certificates generated with correct names
No longer deal with unfilterable HTTPS pages or "host name does not match" warnings/errors from browsers! The Proxomitron now generates certificates, signed by its own root, for each hostname to satisfy browser checks.

- $REM() pseudocommand
At the request of mizzmona, the $REM pseudocommand allows including commentary in filter expressions. Within the parentheses, write anything which will be ignored completely by the matching engine. Ensure to balance inner parentheses, or escape them and other special characters.

- Add HTTPS to local.ptron
Simply set the port in the new HTTPS settings tab to an unused one (e.g. 8443), restart Proxomitron, and visit e.g. https://local.ptron:your_port/.pinfo/ or any local path to see files served over HTTPS! https://localhost:your_port/ and https://127.0.0.1:your_port/ will work too, thanks to the Subject Alternative Names in the certificate that it generates. If you don't need this option, set the port to 0 and it will stop listening for HTTPS. The new configuration file keyword is SslPort in the Global section, and its default is 0.

- HTTPS configuration options for cipher suite selection and certificate error bypass
Also present in the new configuration dialog tab are two fields which correspond to two new keywords in the global configuration file section: SslCiphers and BypassCertErrs.

The former allows controlling the cipher suites which Proxomitron's SSL client (as presented to external sites) advertises support for; its format is a string that is documented at https://www.openssl.org/docs/man1.0.2/apps/ciphers.html . Leave it blank to use the default, which is currently "ALL:!eNULL:!aNULL:!EXP:!DES:!RC2:!SSLv2:!PSK:!aECDH:!CAMELLIA:!SEED:@STRENGTH". This is useful for the advanced users to fine-tune their TLS/SSL configuration.

The latter is a flexible way to specify sites which you do not want to be warned of certificate errors with; you can use any of Proxomitron's filtering language to construct an expression which will be matched against the hostname. This means you can use blockfiles too! Leaving this field blank (the default) means it will not match any hostname, and thus the behavour will be unchanged from before.

- Add details to certificate error dialog
The certificate error dialog now shows the entire certificate details instead of only the name and its validity period dates. Useful for troubleshooting certificate errors.

- Add root certificate generation
This is the biggest new feature, and is accessible from the bottom button in the new HTTPS configuration tab. If you have an existing certificate in use, you can still click this button and look around; it will warn you that if you try to generate a certificate, it will replace your existing one. This new dialog allows you to specify some fields of the certificate to be generated, and if you have an existing certificate it conveniently duplicates the same information from it and lets you generate a new one with a validity period of another 5 years. You can choose the key size and algorithm, keeping in mind that not all browsers will support the more advanced ones, and that this certificate is only used to "fool" browsers into behaving since Proxomitron does most of the work of encryption and validation now. It makes sense to choose the most "insecure" that browsers will accept, because it improves performance. If you click Generate, it will create/overwrite the proxcert.pem and proxcert_certonly.pem files, and then after restarting Proxomitron and installing the certificate as a trusted root in the browser(s) you use, you can start experiencing real SSL filtering!

Enjoy! As always, please leave your feedback here and I will try to respond when I can.
Add Thank You Quote this message in a reply
[-] The following 8 users say Thank You to amy for this post:
referrer, mizzmona, soccerfan, Styx, defconnect, usr, Callahan, whenever
Dec. 10, 2018, 03:32 PM (This post was last modified: Dec. 10, 2018 03:39 PM by referrer.)
Post: #90
RE: Proxomitron Reborn
Don't know why but it looks like url(except "*") in all blockfiles(e.g. URL Killfile.txt) only match in http filtering

test:

URL Killfile.txt add:
Code:
www.alphapolis.co.jp/js/content-viewer.js

http://www.alphapolis.co.jp/js/content-viewer.js blocked
https://www.alphapolis.co.jp/js/content-viewer.js block faild
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: