HTTPS, forwarding (or not) CONNECT verb

4 posts, 0 answers
  1. Stephen
    Stephen avatar
    2 posts
    Member since:
    Nov 2015

    Posted 16 Nov 2015 Link to this post

    Hello, the only way I can get HTTPS to work is when I have my browser setting to include our company's enterprise (forward) proxy, so that when Fiddler starts, that enterprise proxy is next in line. If I instead have the browser set as "No ​proxy" before starting Fiddler, then an HTTPS connection will fail with a 502 once Fiddler is started.

     

    Using WireShark to do a network trace, I can see why things are failing:

    1) Once Fiddler is started, the browser has a proxy (Fiddler), and so it starts a CONNECT handshake when doing HTTPS.

    2) Fiddler *forwards* the CONNECT to the web server, as if the web server were instead itself a proxy. Because the web server is not listening on port 80 (which CONNECT uses), this fails with a 502.

    It seems like when there was no proxy before Fiddler started, it should "swallow" all CONNECTs and not forward them to the target web servers.

    What am I missing here?

    Thanks, Steve

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 16 Nov 2015 Link to this post

    Hello, Stephen--

    This certainly *should* work like you expect. Can you provide some more information?

    What Fiddler version are you using (Help > About) exactly?

    Does Fiddler have HTTPS decryption enabled?

    Can you type about:network and hit Enter in the black QuickExec box below Fiddler's Web Sessions list, then copy the output from the Log tab into your response?

    If you can email me the Wireshark capture (Help > Send Feedback) that may help too.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Stephen
    Stephen avatar
    2 posts
    Member since:
    Nov 2015

    Posted 16 Nov 2015 in reply to Eric Lawrence Link to this post

    Thanks for the reply Eric.

    Version:

    Fiddler Web Debugger (v2.6.1.4)
    Built: Friday, October 30, 2015

    32-bit x86, VM: 36.0mb, WS: 47.0mb
    .NET 2.0.50727.5485 WinNT 6.1.7601 SP1

    Yes, "Capture HTTPS CONNECTs", and "Decrypt HTTPS traffic" checked.

    Here is the about:network. And looking at it, and then googling the obvious bit about the Chrome GPO and the Script=    http://www-proxy-pac.lmig.com/proxy.pac, I think I can anticipate what you'll say my problem is: it looks like my company (sometime in the last year) set up a GPO that is essentially hardcoding Chrome's proxy settings. Which is kind of funny, because I'm testing using FireFox, but there are some behaviors here that appear like the "no proxy" in FireFox is being ignored (in at least one respect).

    Thanks, Steve

    -= Fiddler Event Log =-
    See http://fiddler2.com/r/?FiddlerLog for details.

    13:21:15:4568 Fiddler Running...
    13:21:15:4608 !WARNING Fiddler has detected that Chrome GPO specifies proxy configuration 'system'.
    13:23:19:1822 -- NetworkInterfaces --
         Loopback Pseudo-Interface 1     'Software Loopback Interface 1' Type: Loopback @ 1,073,741,824/sec. Status: UP
        VirtualBox Host-Only Network     'VirtualBox Host-Only Ethernet Adapter' Type: Ethernet @ 100,000,000/sec. Status: UP
               Local Area Connection     'Intel(R) 82577LM Gigabit Network Connection' Type: Ethernet @ 1,000,000,000/sec. Status: UP
       Wireless Network Connection 2     'Microsoft Virtual WiFi Miniport Adapter' Type: Wireless80211 @ 450,000,000/sec. Status: DOWN
         Wireless Network Connection     'Intel(R) Centrino(R) Ultimate-N 6300 AGN' Type: Wireless80211 @ 450,000,000/sec. Status: DOWN

    Total bytes received (IPv4): 304,785,140

    Local Addresses:
        10.115.138.136
        192.168.56.1
        ::1

    RAS reports 1 Connectoids

    -= WinINET settings for 'DefaultLAN' =-
    HTTP=    
    HTTPS=    
    FTP=    
    SOCKS=    
    Script=    http://www-proxy-pac.lmig.com/proxy.pac
    Bypass=    <-loopback>
    ProxyType:    1

  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 16 Nov 2015 Link to this post

    Hello, Stephen--

    The contents of the http://www-proxy-pac.lmig.com/proxy.pac file determine what, if any, upstream proxy Fiddler sends its requests to. You should be able to pull down that file (e.g. using Fiddler's Composer) to have a look at it and see if there's anything obviously amiss.

    If you're confident that you don't need to use any upstream proxy, you can configure Fiddler to ignore it entirely using Tools > Fiddler Options > Gateway > No Proxy.

    If you'd like me to have a look at your proxy script privately, please feel free to send it to me using Help > Send Feedback.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top