you could use nginx substutions module maybe, else forward to php and dom parse and replace all script src, a href etc<br><br><div class="gmail_quote">On Mon, Nov 15, 2010 at 6:54 AM, Marc de Bruin <span dir="ltr"><<a href="mailto:marc@debruin.org">marc@debruin.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Lo,<br>
<br>
At work, we have a perfectly functioning proxy server, which I don't trust. :-/ So I wanted to use my home infrastructure in a transparent way (e.g., no SSH port forwarding) to allow me just to use my browser to get http pages via https. Sort of a chained proxy.<br>
<br>
I came up with the following, working, configuration:<br>
<br>
server {<br>
listen 999 ssl;<br>
server_name ~^(?<mangled>.+)\.ubergurus\.eu$;<br>
<br>
set $website $mangled;<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
if ($website ~* (.*)_(.*)) { set $website $1.$2; }<br>
<br>
ssl_certificate /opt/etc/nginx/<a href="http://ssl_ubergurus.eu/wildcard.ubergurus.eu.crt" target="_blank">ssl_ubergurus.eu/wildcard.ubergurus.eu.crt</a>;<br>
ssl_certificate_key /opt/etc/nginx/<a href="http://ssl_ubergurus.eu/wildcard.ubergurus.eu.key" target="_blank">ssl_ubergurus.eu/wildcard.ubergurus.eu.key</a>;<br>
ssl_crl /opt/etc/nginx/<a href="http://ssl_ubergurus.eu/crl.pem" target="_blank">ssl_ubergurus.eu/crl.pem</a>;<br>
ssl_client_certificate /opt/etc/nginx/<a href="http://ssl_ubergurus.eu/ca.crt" target="_blank">ssl_ubergurus.eu/ca.crt</a>;<br>
ssl_verify_client on;<br>
<br>
location / {<br>
proxy_set_header Host $website;<br>
rewrite ^(.*)$ $website$request_uri break;<br>
proxy_pass http://$website;<br>
}<br>
}<br>
<br>
At home, 443 forwards to 999.<br>
<br>
At work, I'm now able to get e.g. <a href="https://www_ns_nl.ubergurus.eu/" target="_blank">https://www_ns_nl.ubergurus.eu/</a> which results, after two-sided SSL being setup, in a http//<a href="http://www.ns.nl" target="_blank">www.ns.nl</a> get at home, and tunneling the result back to work. Of course still the URL shows up in the work's proxy log, put no content. The server certificate is a self-signed wildcard certificate for *.<a href="http://ubergurus.eu" target="_blank">ubergurus.eu</a>, so any mangled site would work, as long as it doesn't contain the 'dot'-char.<br>
<br>
A few questions came up during this invention:<br>
- Repeating the if line 10 times allows 10 levels of _-chars, meaning 10 subdomains. Is there a better way to accomplish this?<br>
- Some sites contain absolute URL's within the content (e.g. the <A HREF=""> tag and <IMG > tag), which aren't rewritten back to https://*.<a href="http://ubergurus.eu" target="_blank">ubergurus.eu</a>. This causes leakage at the work site. Is there a quick way to add that?<br>
- Any ideas about a better mangling scheme to further obfuscate the destination website from the proxy log?<br>
<br>
Or am I just being crazy here... ;-)<br>
<br>
Tnx,<br>
Marc.<br>
<br>
PS: Great piece of software, nginx!<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://nginx.org/mailman/listinfo/nginx" target="_blank">http://nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br><br clear="all"><br>-- <br><a href="http://thewarezscene.org" target="_blank">Warez Scene</a> <a href="http://www.nexusddl.com" target="_blank">Free Rapidshare Downloads</a><br><br>