Activity for Gergely
-
Gergely posted a comment on ticket #1753
I am trying to do exactly what you have described in your last sentence: tricking Privoxy into using a key and certificate generated with Let's Encrypt, but I am not sure how to do that properly. You wrote „you need to put the files there using the right names (which you can get from the logs)”. Would you please elaborate, which files I have to put where and where I get the the correct names from?
-
This tricking is what I wanted to do. My config is ca-cert-file cacert.crt ca-key-file cakey.pem # ca-password - we do not have a password certificate-directory /usr/local/var/privoxy/certs ca-directory /usr/local/etc/privoxy/CA and I add the files, cakey.pem -----BEGIN EC PRIVATE KEY----- ... -----END EC PRIVATE KEY----- cacert.crt -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- to both /usr/local/var/privoxy/certs and /usr/local/etc/privoxy/CA. I expected this to work because following...
-
The goal is the same as described in #1750. Getting https redirects work, without any manual install of certificates on the client side. Instead of using a self-signed certificate generated for privoxy, and manually importing it into the browsers (as described in ticket #1750), I would like to use a trusted certificate for privoxy redirects in order to avoid manual imports. I assumed that using the Let's Encrypt generated certificate of a domain I own (let's say example.com), configuring local DNS...
-
https-inspection, Error: Issuer key doesn't match issuer certificate, follow-up to #1750
-
Yes, it did work in the end. There was an additional checkbox to check after the import. The ticket can be closed.
-
@fabiankeil imported the certificate into Firefox the import is successful firefox request facebook.com Secure connection failed and Firefox did not connect / HSTS https://support.mozilla.org/en-US/kb/secure-connection-failed-firefox-did-not-connect#w_hsts-required privoxy log for firefox request facebook.com privoxy | 2022-10-27 14:15:26.824 7fd413c60700 Connect: Accepted connection from 127.0.0.1 on socket 6 privoxy | 2022-10-27 14:15:26.825 7fd413c60700 Header: scan: CONNECT www.facebook.com:443...
-
1. add Privoxy's certificate to /home/nagy/yes/ssl/cacert.pem curl curl -x localhost:8118 -v --head https://www.facebook.com/ * Trying 127.0.0.1:8118... * Connected to localhost (127.0.0.1) port 8118 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to www.facebook.com:443 > CONNECT www.facebook.com:443 HTTP/1.1 > Host: www.facebook.com:443 > User-Agent: curl/7.71.1 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established HTTP/1.1 200 Connection established < * Proxy replied...
-
@fabiankeil 1. add Privoxy's certificate to /home/nagy/yes/ssl/cacert.pem curl curl -x localhost:8118 -v --head https://www.facebook.com/ * Trying 127.0.0.1:8118... * Connected to localhost (127.0.0.1) port 8118 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to www.facebook.com:443 > CONNECT www.facebook.com:443 HTTP/1.1 > Host: www.facebook.com:443 > User-Agent: curl/7.71.1 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established HTTP/1.1 200 Connection established <...
-
@fabiankeil Ok, I will test if either of the two options above work ( 1. add Privoxy's certificate to /home/nagy/yes/ssl/cacert.pem, or 2. use curl's --insecure option). However, /home/nagy/yes/ssl/cacert.pem is on the client side. We cannot add Privoxy's certificate to /home/nagy/yes/ssl/cacert.pem in practice. A user will not use the --insecure option either, I expect. Is there a way to get privoxy asking the client side for accepting the certificate?
-
@fabiankeil see two more config attempts above do you have an out-of-the-box working sample config?
-
config ca-directory /usr/local/etc/privoxy/CA certificate-directory /usr/local/var/privoxy/certs ca-cert-file cacert.crt ca-key-file cakey.pem ca-password blabla # Explicitly set a couple of ciphers with names used by MbedTLS cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\ TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\ ... TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\ TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 trusted-cas-file trusted_cas_file.pem trusted_cas_file.pem as downloaded...
-
following https://www.privoxy.org/user-manual/config.html#HTTPS-INSPECTION-DIRECTIVES / 7.7.2 docker exec -ti privoxy openssl req -new -x509 -extensions v3_ca -keyout /usr/local/etc/privoxy/CA/cakey.pem -out /usr/local/etc/privoxy/CA/cacert.crt -days 3650 config ca-directory /usr/local/etc/privoxy/CA certificate-directory /usr/local/var/privoxy/certs ca-cert-file cacert.crt ca-key-file cakey.pem ca-password blabla # Explicitly set a couple of ciphers with names used by MbedTLS # cipher-list ... commented...
-
@fabiankeil $ docker exec privoxy ls -ld /usr/local/etc/privoxy/CA drwxr-xr-x 2 privoxy privoxy 4096 Oct 6 19:16 /usr/local/etc/privoxy/CA $ docker exec privoxy ls -l /usr/local/etc/privoxy/CA -rw-r--r-- 1 privoxy privoxy 1249 Oct 6 18:40 cacert.crt -rw------- 1 privoxy privoxy 1854 Oct 6 18:40 cakey.pem this looks ok to me as previously mentioned, the CA folder is not even available initially, I needed to mkdir + chown
-
@fabiankeil curl $ curl -x localhost:8118 -v --head https://www.facebook.com/ * Trying 127.0.0.1:8118... * Connected to localhost (127.0.0.1) port 8118 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to www.facebook.com:443 > CONNECT www.facebook.com:443 HTTP/1.1 > Host: www.facebook.com:443 > User-Agent: curl/7.71.1 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established HTTP/1.1 200 Connection established < * Proxy replied 200 to CONNECT request * CONNECT phase completed!...
-
@fabiankeil @roro see above message. Redirecting https does not seem to work, no matter if FEATURE_HTTPS_INSPECTION was set. Can you reproduce this, or am I doing something wrong?
-
Today I tested this issue on debian with 3.0.33 and FEATURE_HTTPS_INSPECTION enabled. user.action {+https-inspection} .facebook.com {+ignore-certificate-errors} .facebook.com {+redirect{https://duckduckgo.com}} .google.com {+redirect{https://origo.hu}} .facebook.com when entering facebook.com I get a PR_END_OF_FILE_ERROR. Could you help with getting the redirect working?
-
The test is still not passing. FEATURE_HTTPS_INSPECTION does not seem to make any difference. See ticket description for details.
-
Thank you Roland, the FEATURE_HTTPS_INSPECTION indeed showed up! I am yet to test the effect.
-
Thank you Roland, I appreciate! I still have Ubuntu 20, because of driver issues. /usr/local/sbin is empty $ sudo dpkg -i ~/Downloads/privoxy_3.0.33-1~focal+1_amd64.deb (Reading database ... 218603 files and directories currently installed.) Preparing to unpack .../privoxy_3.0.33-1~focal+1_amd64.deb ... Unpacking privoxy (3.0.33-1~focal+1) over (3.0.28-2ubuntu0.1) ... dpkg: dependency problems prevent configuration of privoxy: privoxy depends on libmbedcrypto3 (>= 2.13); however: Package libmbedcrypto3...
-
// all steps, starting from scratch rm -fR privoxy git clone https://www.privoxy.org/git/privoxy.git cd privoxy git checkout v_3_0_33 autoheader autoconf ./configure --with-openssl // "configure: Detected OpenSSL. Enabling https inspection." is there make // openssl.o is linked ./privoxy --version // 3.0.33 make install // Creating directories, and preparing Privoxy 3.0.33 stable installation // chmod 0755 ./mkinstalldirs // Installing privoxy executable to /usr/local/sbin // /usr/bin/install -c...
-
// all steps, starting from scratch git clone https://www.privoxy.org/git/privoxy.git cd privoxy git checkout v_3_0_33 autoconf ./configure --with-openssl // "configure: Detected OpenSSL. Enabling https inspection." is there autoheader make // openssl.o is linked privoxy --version // 3.0.33 systemctl stop privoxy && sudo cp privoxy /usr/sbin/privoxy && systemctl start privoxy systemctl status privoxy // privoxy all fine http://config.privoxy.org/show-status // looks all fine except for not listing...
-
I am on Ubuntu and git cloned, compiled 0.34, using libssl. Both the config and make steps looked fine. See comment above. However, http://config.privoxy.org/show-status conditional #defines does not list FEATURE_HTTPS_INSPECTION, and it also does not seem to work. Any hints? I might just switch over to Debian if that made things easier.
-
@fabiankeil can you give me a pointer on how to get FEATURE_HTTPS_INSPECTION working?
-
https://serverfault.com/questions/249340/install-openssl-dev-on-ubuntu-server told me it is called libssl ./configure ... checking for SSL_library_init in -lssl... no configure: Detected OpenSSL. Enabling https inspection. make ... openssl.o systemctl stop privoxy && sudo cp privoxy /usr/sbin/privoxy && systemctl start privoxy systemctl status privoxy OK http://config.privoxy.org/show-status Conditional #defines does not list FEATURE_HTTPS_INSPECTION What am I doing wrong?
-
First I tried using 0.33, however http://config.privoxy.org/show-status was not listing FEATURE_HTTPS_INSPECTION. Then I git cloned, compiled 0.34, however FEATURE_HTTPS_INSPECTION is still not listed. I could not find out how to enable FEATURE_HTTPS_INSPECTION. I do have openssl, but autoconf did not seem to care. Could you help?
-
I am on 3.0.33 and added a line {+https-inspection} How can I get it working? Fatal error: can't load actions file '/etc/privoxy/user.action': can't completely parse the action section starting at line (199): {+https-inspection}
-
hello Fabian, F> Privoxy 3.0.28 is really old ... I can imagine. This is the one used in the Ubuntu LTS version. Let me know if using a newer version made a difference. F> Are you trying to redirect https requests? Yes. F> Modern browsers no longer allow this unless HTTPS inspection is enabled (which is not supported in Privoxy 3.0.28). I use Chromium 102.0.5005.115. Is that modern? How come it sometimes works? I do not get it. What do you suggest me doing?
-
oh I forgot to mention, the browser returns the error message, ERR_TUNNEL_CONNECTION_FAILED
-
hello Fabian, F> Privoxy 3.0.28 is really old ... I can imagine. This is the one used* in the Ubuntu LTS version. Let me know if using a newer version made a difference. F> Are you trying to redirect https requests? Yes. F> Modern browsers no longer allow this unless HTTPS inspection is enabled (which is not supported in Privoxy 3.0.28). I use Chromium 102.0.5005.115. Is that modern? How come it sometimes works? I do not get it. What do you suggest me doing?
-
another help request with simple redirects
-
[ENH] #3603: Trackerlist records can only be cl...
-
[NEW] tracker transaction: tracker steps throug...
-
[REM] reverting r55639 (rolling back to r55493)...
-
[NEW] tracker transaction: tracker steps throug...
-
[FIX] user_exists cache sometimes needs to be i...
1
