Setting up Reverse Proxy

5,566 views
Skip to first unread message

Rahul

unread,
Feb 2, 2012, 6:46:00 PM2/2/12
to Fiddler
Hello,

Thank you for taking the time to read this message. I am having
trouble setting up a reverse proxy.

Here is the lay of the land.

Machine 1 (client) Machine 2
(Server)
----------------------------------------------------------------------------------------------------------
IP: 192.168.2.5 IP: 192.168.2.2
hosts file Windows
Firewall allows incoming 8888
- 192.168.2.2 www.tws.com Fiddler running here with:
-
listening on 8888
-
ReverseProxyForPort -> 81
-
Allow Remote computers to connect

---------------------------------------------------------------------------------------------------------

The following test works:
-----------------------------------
From Machine 2 if I do http://127.0.0.1:8888 I see the Req/Resp in
Fiddler going against my web application listening on port 81


What I want to see work, but does not work:
-------------------------------------------------------------
From Machine 1 if I do http://www.tws.com:8888, I see the traffic in
Fiddler, BUT after a few moments I get a http 502.
This is the detailed error message:
[Fiddler] The socket connection to www.tws.com failed. <br /> A
connection attempt failed because the connected party did not properly
respond after a period of time, or established connection failed
because connected host has failed to respond
203.174.34.138:8888

From Machine 1 if I do http://192.168.2.2:8888, then I see TONS of
never-ending traffic in Fiddler but no response in fiddler.


My goal is to test reverse proxy for https, so I first started with
the simple reverse proxy configuration across these two machines on
the same LAN segment. I have hit a roadblock with this initial setup
and would really appreciate some assistance.

Once again, thank you for taking the time to read this long
post.




EricLaw

unread,
Feb 3, 2012, 8:45:24 AM2/3/12
to Fiddler
The problem in your scenario is that Fiddler doesn't know that you
want "www.tws.com" to mean "this computer running Fiddler."

There are several ways to fix this. Here's the simplest:

1. Click Rules | Customize Rules.
2. Inside the OnBeforeRequest handler, add a new line of code:

if (oSession.HostnameIs("www.tws.com")) oSession.host =
"127.0.0.1:81";

Now, to act as a reverse proxy for HTTPS is slightly different. Your
best bet is to type

!listen 443 www.tws.com

in the QuickExec box underneath the session list. This will start a
new secure listener on port 443 on the current machine (use a
different port like 4443 if needed). Then, the script rule you wrote
above will run for the inbound requests that your other computer makes
asking for https://www.tws.com:443 and point those requests to your
local web server.

-Eric

On Feb 2, 3:46 pm, Rahul <rahulmisra2...@gmail.com> wrote:
> Hello,
>
> Thank you for taking the time to read this message. I am having
> trouble setting up a reverse proxy.
>
> Here is the lay of the land.
>
> Machine 1 (client)                                  Machine 2
> (Server)
> ---------------------------------------------------------------------------­-------------------------------
> IP: 192.168.2.5                                    IP: 192.168.2.2
> hosts file                                               Windows
> Firewall allows incoming 8888
>     - 192.168.2.2  www.tws.com          Fiddler running here with:
>                                                                    -
> listening on 8888
>                                                                    -
> ReverseProxyForPort -> 81
>                                                                    -
> Allow Remote computers to connect
>
> ---------------------------------------------------------------------------­------------------------------
>
> The following test works:
> -----------------------------------
> From Machine 2 if I dohttp://127.0.0.1:8888I see the Req/Resp in
> Fiddler going against my web application listening on port 81
>
> What I want to see work, but does not work:
> -------------------------------------------------------------
> From Machine 1 if I dohttp://www.tws.com:8888, I see the traffic in
> Fiddler, BUT after a few moments I get a http 502.
> This is the detailed error message:
> [Fiddler] The socket connection towww.tws.comfailed. <br /> A
> connection attempt failed because the connected party did not properly
> respond after a period of time, or established connection failed
> because connected host has failed to respond
> 203.174.34.138:8888
>
> From Machine 1 if I dohttp://192.168.2.2:8888, then I see TONS of

Rahul

unread,
Feb 5, 2012, 3:29:03 AM2/5/12
to httpf...@googlegroups.com
Eric, thank you for your prompt reply.
When I try to open Custom Rules, I get a blank notepad window titled customrules.js. I uninstalled and reinstalled the product but to no avail.

Also, the documentation talks about the custom rule and the registry entry as equivalent in effect. You asked me to go the code route. I had used the registry to make an entry (ReverseProxyForPort) but that did not work.

Thanks

EricLaw

unread,
Feb 5, 2012, 9:58:17 AM2/5/12
to Fiddler
If they were exactly equivalent, I wouldn't have described both
options. The Registry entry only works when Fiddler can identify an
inbound request as destined for the current machine. That doesn't work
in this case because you haven't communicated to Fiddler in any way
that you expect it to act as the hostname "tws.com".

If you delete your CustomRules.js file in your \Documents
\Fiddler2\Scripts folder, the next time Fiddler starts, the
SampleRules.js file from the Fiddler application folder will be used
to recreate your CustomRules.js file.

Rahul

unread,
Feb 5, 2012, 3:08:06 PM2/5/12
to httpf...@googlegroups.com
Eric,
thanks to your precise explanation and suggestion, I have been able to setup the reverse proxy for http. I will take a crack at https setup shortly and I look forward to thanking you again.

FYI: I ran into more issues than normal because I am working with host headers and, consequently, it made a difference whether I used oSession.Host="127.0.0.1:81"; or oSession.Host="www.tws.com:81"; because as it turned out that on the same server, I have webapps on both 127.0.0.1:81 and www.tws.com:81

Rahul

unread,
Feb 5, 2012, 6:18:03 PM2/5/12
to Fiddler
Hello Eric,
as mentioned earlier, after reading your suggestions, I have reverse
proxy working with host headers.
However, with regard to https, I have not been able to get it going.
Allow me to summarize one last time, and I hope you can find time to
shed some light.

-------------------------
Machine1 (Client)
-------------------------
- IP is 192.168.2.5
- hosts file has ----> 192.168.2.2 www.wa.com
- The CA cert is in (LocalMachine and CurrentUser) / Trusted Root
Certification Authorities
- Makes an http call ---> http://www.wa.com:4444 (IE/Firefox/
Chrome)
- Makes the same http call using .net
(reaching same results)

------------------------
Machine2(Server)
------------------------
- IP is 192.168.2.2
- hosts file has --->127.0.0.1 www.wa.com
- Firewall configured to allow inbound tcp port 4444 traffic
- The CA cert is in LocalMachine and CurrentUser / Trusted Root
Certification Authorities
- SSL certificate (pfx) (CN=www.wa.com) is installed in (LocalMachine
and CurrentUser) / Personal and functional (proof: works with fiddler
disabled)
- The asp.net application is bound to port 80 and 443 (ssl is
attached) and has full permission to the SSL cert's private keys.
Using host header www.wa.com in this binding.
- The IIS setting is set to Require SSL and Anonymous authentication
is enabled
- Fiddler is running and is configured with the following:
-- to allow Remote computers to connect
-- Capture HTTPS connects and Decrypt https traffic is enabled
-- The following custom rule has been coded in the OnBeforeRequest
event handler
if (oSession.HostnameIs("www.wa.com")) oSession.host
="www.wa.com:443"; // Tried 80 as well
-- !listen 4444 www.wa.com // checked with netstat that
fiddler is listening on port 4444


--------------
Error
---------------
The error I get in my ,net client application is "The underlying
connection was closed: Could not establish trust relationship for the
SSL/TLS secure channel.

The error that I get when I type https://www.wa.com:4444
in chrome I get ----> Invalid Server Certificate
in Firefox I get -----> The certificate is not trusted because no
issuer chain was provided.
(I took a look at the SSL certificate listed under IIS, and the
Certificate stores (Local Machine and Current User) and confirmed that
the Certification Path of the SSL certificate had the CA listed at the
root. The same CA which is installed on the Client's certificate
stores under Trusted Root Certification Authorities.)

I am sorry if I am taking too much time on this forum but I have come
to what appears as a dead-end for me.

Fiddler is an indispensable tool and if I can get the https reverse
proxy working, we, at our company, will benefit a great deal from it.

Thank you once again !
-- Rahul

EricLaw

unread,
Feb 5, 2012, 10:47:07 PM2/5/12
to Fiddler
If you want your client to trust the Fiddler root certificate, you
need to configure the client to trust it. From the client, visit
http://fiddlermachine:8888/ and on that page, use the link to download
the root certificate. Open the .CER file and use the wizard to put it
in the machine's Trusted Store.

(If that client computer had previously had a Fiddler root installed
on it, you'll need to uninstall that one first, since it won't match
the server machine's root).
> Using host headerwww.wa.comin this binding.
> - The IIS setting is set to Require SSL and Anonymous authentication
> is enabled
> - Fiddler is running and is configured with the following:
>     -- to allow Remote computers to connect
>     -- Capture HTTPS connects and Decrypt https traffic is enabled
>     -- The following custom rule has been coded in the OnBeforeRequest
> event handler
>         if (oSession.HostnameIs("www.wa.com"))   oSession.host
> ="www.wa.com:443";       // Tried 80 as well
>     -- !listen 4444www.wa.com           // checked with netstat that
> fiddler is listening on port 4444
>
> --------------
> Error
> ---------------
> The error I get in my ,net client application is "The underlying
> connection was closed: Could not establish trust relationship for the
> SSL/TLS secure channel.
>
> The error that I get when I typehttps://www.wa.com:4444

testf

unread,
May 9, 2012, 9:03:17 AM5/9/12
to httpf...@googlegroups.com
Hi,

It's possible to start new listener from script (!listen PORT HOST)?

Regards

EricLaw

unread,
May 10, 2012, 8:37:15 AM5/10/12
to httpf...@googlegroups.com

Proxy oNewProxy = new Proxy(false);

// Want a secure listener?
if (!oNewProxy.ActAsHTTPSEndpointForHostname(sHostnameForHTTPS)
{
MessageBox.Show(String.Format("Failed to create secure listener on port #{0} for {1}", i, sHostnameForHTTPS), "Failure");
}
else
{
oNewProxy.Start(i, true);
MessageBox.Show(String.Format("Started new Secure Listener on port #{0} with certificate SubjectCN={1}", i, sHostnameForHTTPS), "Success");
FiddlerApplication.Log.LogFormat("Started new Secure Listener on port #{0} with certificate SubjectCN={1}", i, sHostnameForHTTPS);
}
}
else
{
oNewProxy.Start(i, true);
MessageBox.Show(String.Format("Started new Listener on port #{0}", i), "Success");
FiddlerApplication.Log.LogFormat("Started new Listener on port #{0}", i);
}

-Eric

 
PS: In the future, please start a new thread for new questions like this.

testf

unread,
May 11, 2012, 2:54:31 AM5/11/12
to httpf...@googlegroups.com
Thank you for the response.

Now I have problem with creating object Proxy. I'm trying:

  Proxy oNewProxy = new Proxy(false);  --> The list of attributes does not apply to the current context
  var oNewProxy: Proxy = new Proxy(false); --> No such constructor

Regards

EricLaw

unread,
Nov 19, 2012, 12:59:41 PM11/19/12
to httpf...@googlegroups.com
If you could intercept HTTPS traffic in plaintext form without some help from the client, there would be no point in having HTTPS at all, because it would be completely insecure.

On Monday, November 19, 2012 2:49:12 AM UTC-6, YYY wrote:
What if it is not possible to install the certificate on the client (because one has no access to the client)?

Is there any other alternative?

Or this truly is a dead end?

YYY

unread,
Nov 19, 2012, 6:55:45 PM11/19/12
to httpf...@googlegroups.com
Sorry, the question should be framed in a more technical manner.


Suppose one does not have access to the client machine, and has no way of installing Fiddler's root certificate on the client, is there any other possible avenue?

e.g. replacing Fiddler's root certificate with that of the website


In this case, we have control of the website and its SSL certificate (i.e. we are entitled to decrypt and read the HTTPS traffic). We do not have control over the client machine.

The intention is to watch incoming requests to our own website using Fiddler (set up as reverse proxy). Fiddler is able to provide some insight into POST traffic, which IIS and the website do not log at the moment (and modifying the site is not an immediate option).

EricLaw

unread,
Nov 20, 2012, 1:14:17 PM11/20/12
to httpf...@googlegroups.com
Ah, if you actually have the server's certificate, then yes, you can provide that certificate to Fiddler and have it use it.
 
In FiddlerCore, it's as simple as calling FiddlerApplication.CreateProxyEndpoint and providing the desired certificate as the third parameter into the function call.
 
In Fiddler 2.4.2.0 today, you'd need to provide your own certificate provider implementation using the ICertificateProvider interface.
 
However, in the next build (v2.4.2.2), you can use FiddlerScript to call:
 
    CertMaker.StoreCert("www.yourhostname.com", "C:\\whatever\yourhostname.pfx", "yourpfxpassword");
 
After you make this call, the Certificate Maker will cache this single certificate and use it for any requests to www.yourhostname.com.
 
Will this work for you?

YYY

unread,
Nov 21, 2012, 12:00:22 AM11/21/12
to httpf...@googlegroups.com
Yes, exactly what we need.

This Fiddler journey of mine has really opened my eyes to the possibilities.

Thanks for the reply, and thank you for your contribution to the dev community!


Any idea when the next build, Fiddler 2.4.2.2, will be generally available?

EricLaw

unread,
Nov 21, 2012, 12:30:58 PM11/21/12
to httpf...@googlegroups.com
Please let me know if http://www.fiddler2.com/dl/fiddler2alphasetup.exe meets your needs. Note that your certificate+private key MUST be in PFX format.
 
Thanks for the suggestion; this was on my "todo" list for a long time.
 
-Eric

YYY

unread,
Nov 23, 2012, 7:14:17 AM11/23/12
to httpf...@googlegroups.com
It worked like a charm!

I was able to inspect all HTTPS traffic on the server without any client-side configuration.

Thank you so much!


Why is it a requirement to use PFX format for the certificate?

EricLaw

unread,
Nov 23, 2012, 10:04:02 AM11/23/12
to httpf...@googlegroups.com
Great, thanks for letting me know!
 
>Why is it a requirement to use PFX format for the certificate?
 
A PFX contains both the Certificate and the Private Key, and is thus the simplest way to provide both to the decryption engine. (It would be possible to do this in other ways-- what formats did you have available when you started? Did you have to generate the PFX yourself?)

YYY

unread,
Nov 25, 2012, 9:43:27 PM11/25/12
to httpf...@googlegroups.com
Yes, generated the PFX off the existing certificate in the web server.

No hassles.


If I understand it correctly, Fiddler uses the private key from the PFX to decrypt incoming HTTPS requests.

So the private key is an indispensable component in the process.

EricLaw

unread,
Nov 26, 2012, 11:42:34 AM11/26/12
to httpf...@googlegroups.com
That's correct; Fiddler needs access to the private key in order to re-encrypt the traffic to send to the client. The private key corresponds to the public key in the server's certificate.
Message has been deleted

YYY

unread,
Dec 2, 2012, 9:31:03 AM12/2/12
to httpf...@googlegroups.com
Thanks for your help!

With the new version of Fiddler that has the ability to replace Fiddler's own root certificate with the SSL certificate of the website under monitoring, I was able to close a case.

If I may summarise the process for the benefit of other Fiddler users - and do correct me if I am wrong in any respect:

Setting up Fiddler as reverse proxy to watch incoming HTTPS traffic on a web server

(1) Set up Fiddler as reverse proxy following the official wiki:

(2) In the web server, change the website to be monitored to use port 8888

(3) Turn on these Fiddler's options: Capture HTTPS Connects and Decrypt HTTPS Traffic

(4) Modify Fiddler's Custom Rules script's OnBeforeRequest handler function as follows:

(a) Specify the PFX certificate (exported with private key) that Fiddler should use for identifying itself to requesting clients and also for decrypting incoming HTTPS traffic (Available from Fiddler v 2.2.4.2):

CertMaker.StoreCert("www.yourhostname.com", "C:\\whatever\yourhostname.pfx", "yourpfxpassword");

(b) Forward requests destined for usual port 80 / 443 (HTTP / HTTPS) to 8888, the port number just assigned to the website.

if (oSession.host.toLowerCase() == "www.yourhostname.com") oSession.host = "www.yourhostname.com:8888";

Gotcha: Do not specify port number 80 or 443 for oSession.host.toLowerCase (I made this newbie mistake. The official wiki was silent on this.)

(5) Set Fiddler to listen on port 443 - Type in the QuickExec box underneath the session list:



Fiddler should now be capturing HTTPS sessions.

EricLaw

unread,
Dec 3, 2012, 1:53:28 PM12/3/12
to httpf...@googlegroups.com
For Step #4a, the call to StoreCert should be placed in the Main function rather than inside OnBeforeRequest. Otherwise, you'll unnecessarily reload the certificate from disk on every single request.
 
I'm not sure about the "gotcha" mentioned in 4b-- you might consider using the HostnameIs method:
 
         // Assume that the secure server is on port 444.
    if (oSession.HostnameIs("www.yourhostname.com")) oSession.host = "www.yourhostname.com:444";
 
-Eric

YYY

unread,
Dec 9, 2012, 6:29:02 AM12/9/12
to httpf...@googlegroups.com
Thanks for the feedback!

Updated complete instructions below.

This line of code came from the official wiki at http://www.fiddler2.com/Fiddler/help/reverseproxy.asp:

if (oSession.host.toLowerCase() == "www.yourhostname.com") oSession.host = "www.yourhostname.com:8888";

If oSession.HostnameIs("www.yourhostname.com")is a better alternative, should the wiki be updated?


Setting up Fiddler as reverse proxy to watch incoming HTTPS traffic on a web server

(1) Set up Fiddler as reverse proxy following the official wiki:

(2) In the web server, change the website to be monitored to use port 444

(3) Turn on these Fiddler's options: Capture HTTPS Connects and Decrypt HTTPS Traffic

(4) Modify Fiddler's Custom Rules script's Main function to specify the PFX certificate (exported with private key) that Fiddler should use for identifying itself to requesting clients and also for decrypting incoming HTTPS traffic (Available from Fiddler v 2.2.4.2):

CertMaker.StoreCert("www.yourhostname.com", "C:\\whatever\yourhostname.pfx", "yourpfxpassword");

(5) Still in the Custom Rules script, modify OnBeforeRequest function to forward requests to 444, the port number just assigned to the website.
 
// Assume that the secure server is on port 444.
if (oSession.HostnameIs("www.yourhostname.com")) oSession.host = "www.yourhostname.com:444";
(5) Set Fiddler to listen on port 443 - Type in the QuickExec box underneath the session list:



Fiddler should now be capturing HTTPS sessions.

Hudson Rafael

unread,
Mar 7, 2016, 8:26:54 PM3/7/16
to Fiddler
video configure fiddler proxy reverse
http://rafaelcarioca7.com/?p=55
Reply all
Reply to author
Forward
0 new messages