我的想法是否正确?如果您在 HTTP 代理的另一端有一个受 SSL 保护的服务,并且该服务需要身份验证:
- 您使用 HTTP 进行身份验证,发送未加密(尽管是 base64 编码的)代理用户名和密码(没有它我会收到 407),然后允许......
- 要与代理另一端的服务打开的 HTTPS 会话。
答案1
这似乎涵盖了它:
When tunneling SSL, the proxy must not have access to the data being
transferred in either direction, for sake of security. The proxy
merely knows the source and destination addresses, and possibly, if
the proxy supports user authentication, the name of the requesting
user.
...
CONNECT is really a lower-level function than the rest of the HTTP
methods, kind of an escape mechanism for saying that the proxy should
not interfere with the transaction, but merely forward the data. This
is because the proxy should not need to know the entire URI that is
being accessed (privacy, security), only the information that it
explicitly needs (hostname and port number).
...
CONNECT home.netscape.com:443 HTTP/1.0
User-agent: Mozilla/4.0
Proxy-authorization: basic dGVzdDp0ZXN0
...SSL data...
https://datatracker.ietf.org/doc/html/draft-luotonen-ssl-tunneling-03