FiddlerCore as Transparent Proxy

10 posts, 0 answers
  1. Lawrence
    Lawrence avatar
    3 posts
    Member since:
    Mar 2014

    Posted 09 Mar 2014 Link to this post

    Hi, 

    I'm trying to setup fiddlercore to accept remote connections on port 80 and 443 then act as a proxy to incoming connections - without being configured as the system proxy on the client machine. Similar to how Squid can be configured in transparent mode. So far I've tried a number of variations on the below with no luck. 

                        FiddlerApplication.Startup(3145, false, false);
                        var altEndPoint = FiddlerApplication.CreateProxyEndpoint(80, true, "*");
                        altEndPoint.Attach();
                        var oSecureEndpoint = FiddlerApplication.CreateProxyEndpoint(443, true, "*");
                        oSecureEndpoint.Attach();

    Is what I'm trying to do doing possible, would really appreciate any pointers!
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 10 Mar 2014 Link to this post

    Hi, Lawrence-- 

    Can you elaborate a little more on what specifically you're trying to accomplish?

    A Transparent proxy can only function when you have a configuration whereby traffic is forced through it (e.g. by configuring router rules, etc). FiddlerCore can capture traffic that is explicitly sent to it, and can evaluate the URL and host header when deciding where to send it (which are both elements of how a Transparent proxy or Reverse Proxy works) but it doesn't have any way to transparently force a client to use it.

    -Eric
    DevCraft Q1'14 is here! Watch the online conference to see how this release solves your top-5 .NET challenges. Watch on demand now.

  3. Lawrence
    Lawrence avatar
    3 posts
    Member since:
    Mar 2014

    Posted 17 Mar 2014 Link to this post

    Great, that’s exactly what I thought and was trying to achieve.
    I’m looking to allow capture of traffic, and redirection, on some of the
    devices in my home that don’t support having a proxy configured.

    So far I’ve taken an open source C# DNS server and written the
    query code so that it can return the address of the machine hosting it for
    certain domains. So, for example www.bbc.co.uk
    is resolved to the server which also has simple port forwarding setup to
    forward any traffic received on port 80 or 443 to the correct endpoint for www.bbc.co.uk

    I wanted to take this one step further with fiddler core
    setup as a transparent proxy, this would hopefully allow me to respond to items
    such as *.bbc.co.uk, using the dns server, then fiddler would correctly proxy
    these requests to the appropriate endpoints having resolved the ips using a
    genuine dns server.

    Would it be useful if I posted some of the code I've got at the moment? The problem I'm currently seeing with fiddlercore is that it doesn't seem to like picking up the traffic on 443 or 80 when remote even with remote enabled. On a side note I also managed to get it sending traffic to itself in an infinite loop at one point when testing with just one machine bbc.co.uk -> localhost --> fiddler core --> bbc.co.uk --> localhost etc (human error not fiddlers fault but did have me confused for a while!)

    Ps. Love fiddler and thanks for getting back to me on this!

  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 17 Mar 2014 Link to this post

    Hi, Lawrence--

    The most useful thing you could do is expound upon this:

    > The problem I'm currently seeing with fiddlercore is that it doesn't
    > seem to like picking up the traffic on 443 or 80 when remote even
    > with remote enabled.


    How did you enable remote access? Did you remember to reconfigure your firewall to allow inbound traffic to the process hosting FiddlerCore?

    thanks,

    -Eric
     
  5. Lawrence
    Lawrence avatar
    3 posts
    Member since:
    Mar 2014

    Posted 19 Mar 2014 in reply to Eric Lawrence Link to this post

    Hi,

    Turns out that I had enabled the firewall for the app, just
    in the release folder of my project not the bin folder. Face palm. Punched open
    all the ports regardless of app listening then had another look at what I’m
    seeing, cracking open wireshark and the like. It turns out that the port 80
    instance of fiddler is functioning correctly. I can spoof the DNS from the
    client and redirect to the fiddler endpoint and see the content proxied nicely.


    When it comes to the HTTPS endpoint it looks like I’ve
    misunderstood the http spec, looking at it in more detail I was expecting the client
    to send an “HTTP Connect bob.example.com:443” which would then be proxied by
    fiddler. As the client has no idea that its being proxied no connect message is
    being sent and the client is attempting to direct connect to the https endpoint
    at fiddler. I think this explains why I don’t see the traffic come in and kicking
    off the BeforeRequest event.

    Cracking open ILSpy it looks like, if I define a single shttpsHostName
    when I create the proxy endpoint I’ll be able to intercept that but with a
    different cert, as Fiddler will terminate the connection and MITM it.

    I think I’m going to wrap up where I am at the moment in a
    rough UI and blog about it, as I’m very close to where I wanted to be.

    User can host the DNS server on their machine and configure,
    say smart TV, to connect through it then capture the traffic with fiddlercore
    for latter analysis or redirect straight to a running version of fiddler. Only
    downside is that if the app relies on https at some point, say login page, then
    this isn’t going to function as expected.

    As a really rough workaround I’ve used straight TCP
    forwarding which it setup following a DNS request. At this point I treat the
    DNS query as if it was an HTTP Connect and setup the tunnel but this falls down
    a bit due to caching of queries and if there are multiple https request sequentially.


  6. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 24 Mar 2014 Link to this post

    Hello,

    If you set CONFIG.bUseSNIForCN to True, FiddlerCore will look at the inbound HTTPS connection for a ServerNameIndication TLS extension, and if found, generate a certificate to match the certificate hostname expected by the client as indicated in its handshake.

    If that Boolean isn't set to true, or if the client's HTTPS handshake does not include a SNI, then FiddlerCore will use the certificate or hostname provided when the call to CreateProxyEndpoint was made.

    Regards,
    Eric Lawrence
    Telerik
     

    Build cross-platform mobile apps using Visual Studio and .NET. Register for the online webinar on 03/27/2014, 11:00AM US ET.. Seats are limited.

     
  7. Vladimir
    Vladimir avatar
    2 posts
    Member since:
    Jul 2014

    Posted 29 Jul 2014 in reply to Eric Lawrence Link to this post

    Hello

    I would like to ask if setting CONFIG.bUseSNIForCN to True in Fiddler is possible? I have the following issue, basically I am using Linux bridge + iptables to preroute HTTP/HTTPS traffic for specific hosts to Fiddler proxy on a local network. Fiddler appears as transperant proxy for the clients and that brakes the CONNECT tunnels. I did try to change CONFIG.bUseSNIForCN using the fiddler.exe.config file but it didn't work, after all .NET is not my field of knowledge. Any thoughts?
  8. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 29 Jul 2014 Link to this post

    Hi, Vladimir:

    To set this value inside Fiddler (rather than FiddlerCore), go to the black QuickExec box below the Web Sessions list on the left hand side of Fiddler. In it, type

       prefs set fiddler.network.https.SetCNFromSNI true

    and hit Enter.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  9. Vladimir
    Vladimir avatar
    2 posts
    Member since:
    Jul 2014

    Posted 29 Jul 2014 in reply to Eric Lawrence Link to this post

    Hello Eric

    Thank you for your help, unfortunatly that didn't solve the problem. I am still missing something. I have Client (windows PC) -> Linux Bridge (forwarding both ports 80 and 443 to Fiddler native 8888) -> Fiddler listening on port 8888, even though the CONFIG.bUseSNIForCN is set to true it seems the CONNECT tunnel cannot be established. Does fiddler look for inbound HTTPS on port 8888 in the above setup? Is there any option to slice the traffic on two ports one e.g. 8888 dedicated on http and second for HTTPS tunnels e.g. port 444.

    Regards,
    Vladimir
    Dennis Technology Labs
  10. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 30 Jul 2014 Link to this post

    Hi, Vladimir--

    By default, Fiddler doesn't attempt to perform HTTPS handshakes with the client; it expects clients to connect to it using HTTP, as this is how proxies work.

    You can tell Fiddler to create a new listening port that will perform a HTTPS handshake for every client that connects; this is discussed in the Fiddler Book (http://fiddlerbook.com)

    !listen port [SubjectCN]

    Starts a new proxy listener object on the specified port. This listener’s Sessions will be added to the Web Sessions list. The listener instance is automatically configured to permit remote connections.

    If the CN parameter is present, all inbound connections on this listener will automati- cally invoke a HTTPS handshake; Fiddler will present a certificate containing the specified SubjectCN. This feature is primarily useful when Fiddler is being used as a reverse proxy for a HTTPS site.

    !listen 8889

    !listen 4443 secure.example.com 


    In the QuickExec box below Fiddler's Session list, type !listen 8889 secure.example.com

    In your browser, you can then visit, e.g. https://127.0.0.1:8889 and see that Fiddler handshakes with the browser, returning a certificate for "secure.example.com"

    Keep in mind that you must perform this step each time you restart Fiddler; it doesn't keep track of the new listeners you create across multiple Sessions. 



    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
Back to Top