问题
I'm doing a POC on a product where I need to set up a VPN server and manipulate the request (basically the URL parameters, not the headers/form data). I'll share my findings in this post and the blockers too. Need some advice on the blockers.
My setup:-
oVPN client -> oVPN server -> Squid Proxy -> Internet
|
Logstash
|
Kibana
Logstash parses the squid proxy logs (the browsed URLs) and dumps it to ES which is then viewed on kibana.
Findings.
- When my client connects with the VPN server and browses the HTTP URLs (both from app and mobile browser), it shows up on the Kibana. I can manipulate the request too.
- When my client connects with the VPN server and browses the HTTPs URLs (from the mobile browser), it shows up on the Kibana. I can manipulate the request too. This is because the browser has a set of authorized public certificates which allows for a successful handshake.
- When my client connects with the VPN server and browses the HTTPs URLs (from the apps), it does not shows up on the Kibana. This is because of certificate pinning. The connection is dropped by the client upon not being able to verify the domain certificate. And as a result of which, I cannot manipulate the request.
Blockers
What I'm stuck at is pointer 3? I know ISPs and VPNs can track my browsing history, not just domains but the complete URL. I know theoretically, my HTTPs requests are encrypted, and hence only domain names are visible. There's something I'm missing that I'm not aware of. Want some opinion here on how this is possible?
Expecting some positive news.
来源:https://stackoverflow.com/questions/65122190/modify-request-from-open-vpn-server