

Using dynamic generated certificates with Nginx - nl5887
http://blog.dutchcoders.io/openresty-with-dynamic-generated-certificates/

======
feld
What are the filtering capabilities? Someone needs to finish flushing this out
(maybe make it speak to snort or something) because there are a lot of
corporate proxies out there that don't support TLS 1.2, for example, which is
a travesty that they're really downgrading your security.

~~~
nl5887
Check out this library:
[https://github.com/dutchcoders/honos](https://github.com/dutchcoders/honos).
It adds filtering on host, uri and content type to each request.

------
vtlynch
This is basically what existing corporate proxies (like FireEye) and AV
software (like Avast!) already do.

~~~
nl5887
Exactly, but now it is integrated in nginx. So this could be an alternative
for proprietary software, or Squid.

------
cwmma
so ... how to MITM an TLS connection?

~~~
jvehent
If you can a) route the traffic through your proxy and b) generate a valid
certificate for the target site that's accepted by web browsers, then yes,
it's a mitm :)

~~~
wwwhizz
Whilst a) is possible under some circumstances, b) should be impossible.

~~~
tobbez
...unless you have somehow acquired a CA's private keys, or are in control of
the clients' certificate stores.

~~~
electrum
The latter of which is very common in corporate environments where employee's
machines are provisioned by the IT department and contain the company's
private CA (which is useful for non-nefarious purposes such as signing
certificates for internal services).

