How is it possible to see in detail, what is going over the line if you have a TLS 1.2 encrypted connection?
Basically we are talking here about what an MITM-attack (man in the middle) is doing. I knew about it but this was the first time I did it by myself. And of course it wasn't an attack. I was just trying to understand why a specific application using SOAP and WS-RM wasn't working. I also found out the hard way, that logging all traffic in nginx is a tough one to achieve (and maybe not possible at all).
The idea was, because HTTPS was mandatory on both ends, server and client, to have a short HTTP (without the S) path in between. Then start up Wireshark and sniff it all until all the information needed is collected.
Because nginx has a server using TLS we need a self signed SSL certificate for localhost. Then we can configure nginx.
server {
listen 443 ssl;
server_name localhost;
ssl_protocols TLSv1.2;
ssl_certificate localhost.cer;
ssl_certificate_key localhost.key;
location / {
proxy_pass http://localhost:80;
#Making the Proxy transparent
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass https://the.server.side.com;
#Making the Proxy transparent
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
Now I start up Wireshark, tell it to capture on the local loopback adapter and also set a capture filter for port 80. Finally I configure the client to use https://localhost:443 and make a request. Voila, Wireshark is reporting some action!
