Modern proxy servers can be used as gateways for requests that access both HTTP and HTTPS resources. And there comes confusion, which leads to misconfiguration and sometimes security breaches. Below we will discuss how proxying should be done properly for each type of requests.
HTTP proxyHTTP client sends a request to the HTTP proxy and asks the proxy to retrieve the remote resouce and forward it to the client. The resource can be accessed using the protocol different from HTTP, i.e. if the HTTP proxy supports this, the client can pass FTP or other URL. This includes HTTPS resources as well. HTTP client sends a request using common HTTP verbs, such as GET, POST, HEAD etc.
HTTP proxy accepts the request from the client, analyzes it and acts accordingly. If the remote resources needs to be retrieved (and can not be taken from the cache, for example), HTTP proxy establishes connection to the remote server and acts as a client for that remote server. The resource is downloaded and passed to the client.
If the remote resource is accessed using HTTPS protocol, the HTTP proxy performs validation of the X.509 certificate presented by the remote server.
End-to-end security can not be achieved using merely HTTP connection. It is possible to ensure security by protecting the resource beforehand, but even when both the client and the proxy use HTTPS, the proxy has access to original data, not protected by HTTPS. Moreover, the unprotected data possibly stays in the cache of the proxy (if the proxy uses caching).
HTTPS proxyHTTPS proxy was invented to ensure end-to-end security of the communication. With such proxy the client sends special request to the proxy with CONNECT verb. The proxy builds an opaque tunnel by connecting to the requested server using TCP and nothing else. After socket connection is established, HTTPS proxy sends 200 OK response to the client and starts forwarding data from the client to the server and back.
Such design means that the client and the server are not limited to HTTPS traffic. In fact, any protocol can be tunneled using HTTPS proxy and CONNECT verb.
End-to-end security is achieved by establishing secure channel between the client and the server after the proxy has connected to the server and confirmed the operation to the client.
HTTP proxy should not be used for HTTPS resources for purposes other than debugging or espionage.
SecureBlackbox and BizCrypto components support both HTTP proxy (in HTTP/HTTPS client and server components) and HTTPS proxy (in socket class all socket-based components and classes). HTTPS proxy is called WebTunneling in SecureBlackbox and BizCrypto.