Running Fiddler as a Reverse Proxy for HTTPS server

12
votes

I have the following situation: 2 hosts, one is a client and the other an HTTPS server.

Client (:<brwsr-port>) <=============> Web server (:443)

I installed Fiddler on the server so that I now have Fiddler running on my server on port 8888.

The situation i would like to reach is the following:

|Client (:<brwsr-port>)| <===> |Fiddler (:8888) <===> Web server (:443)|
|-Me-------------------|       |-Server--------------------------------|

From my computer I want to contact Fiddler which will redirect traffic to the web server. The web server however uses HTTPS.

On The server I set up Fiddler to handle HTTPS sessions and decrypt them. I was asked to install on the server Fiddler's fake CA's certificate and I did it! I also inserted the script suggested by the Fiddler wiki page to redirect HTTPS traffic

// HTTPS redirect ----------------------- 
FiddlerObject.log("Connect received...");
if (oSession.HTTPMethodIs("CONNECT") && (oSession.PathAndQuery == "<server-addr>:8888")) {
    oSession.PathAndQuery = "<server-addr>:443";
}
// --------------------------------------

However when I try https://myserver:8888/index.html I fail!

Failure details

When using Fiddler on the client, I can see that the CONNECT request starts but the session fails because response is HTTP error 502. Looks like no one is listening on port 8888. In fact, If I stop Fiddler on the server I get the same situation: 502 bad gateway.

Please note that when I try https://myserver/index.html and https://myserver:443/index.html everything works!

Question

What am I doing wrong?

Is it possible that...?

I thought that since maybe TLS/SSL works on port 443, I should have Fiddler listen there and move my web server to another port, like 444 (I should probably set on IIS an https binding on port 444 then). Is it correct?

2
sslhttpsproxyfiddler

2 Answers

20
votes

If Fiddler isn't configured as the client's proxy and is instead running as a reverse proxy on the Server, then things get a bit more complicated.

Running Fiddler as a Reverse Proxy for HTTPS

  1. Move your existing HTTPS server to a new port (e.g. 444)
  2. Inside Tools > Fiddler Options > Connections, tick Allow Remote Clients to Connect. Restart Fiddler.
  3. Inside Fiddler's QuickExec box, type !listen 443 ServerName where ServerName is whatever the server's hostname is; for instance, for https://Fuzzle/ you would use fuzzle for the server name.

  4. Inside your OnBeforeRequest method, add:

    if ((oSession.HostnameIs("fuzzle")) &&
    (oSession.oRequest.pipeClient.LocalPort == 443) ) 
{
   oSession.host = "fuzzle:444";
}

Why do you need to do it this way?

The !listen command instructs Fiddler to create a new endpoint that will perform a HTTPS handshake with the client upon connection; the default proxy endpoint doesn't do that because when a proxy receives a connection for HTTPS traffic it gets a HTTP CONNECT request instead of a handshake.

2
votes

I just ran into a similar situation where I have VS2013 (IISExpress) running a web application on HTTPS (port 44300) and I wanted to browse the application from a mobile device.

I configured Fiddler to "act as a reverse proxy" and "allow remote clients to connect" but it would only work on port 80 (HTTP).

Following on from EricLaw's suggestion, I changed the listening port from 8888 to 8889 and ran the command "!listen 8889 [host_machine_name]" and bingo I was able to browse my application on HTTPS on port 8889.

Note: I had previously entered the forwarding port number into the registry (as described here) so Fiddler already knew what port to forward the requests on to.