The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,570 other followers

Fiddler2 to the max: inserting proxy authentication to use DropBox (or other app) behind a corporate firewall

Posted by jpluimers on 2014/04/16


A while ago, I was working with a not so cooperative corporate firewall. All web browsers would work fine, but most other applications would not go through the proxy in a nice way.

For instance, DropBox would show the dreadfull “Connection Error” dialog shown on the right.

That dialog basically means “Dropbox has no clue what happens, try fiddling with your proxy or account settings, then press Reconnect Now” to retry.

Many other applications had issues (for instance Visual Studio connecting to Team Foundation System was very unreliable and the workarounds clumsy).

CNTLM: not the solution

I got inspired by the I code and code: Tutorial: How to use Dropbox behind a corporate proxy server using CNTLM, even though I was pretty sure the corporate firewall was not NTLM based.

And indeed, CNTLM -v -M http://google.com -c CNTLM.INI would give errors like this:

cntlm: Proxy returning invalid challenge!
headers_send: fd 4 warning -999 (connection closed)
Connection closed

HTTP Fiddler: looks promising

So I fired up my old buddy Fiddler 2 HTTP debugging proxy.

Further on, you will learn that Fiddler2 is much more, but right now it is enough to know that it basically sits as a local proxy between your applications and the outside world.

When before starting Fiddler2 a corporate proxy or firewall is present, Fiddler2 inserts itself between your applications and the corporate proxy/firewall.

So it captures the traffic before it goes through the proxy, including any corporate proxy authentication. How cool is that?!

When Fiddler2 completed loading, I started Chrome, then browsed to http://google.com. Chrome would prompt me for my corporate proxy credentials, which I entered, and showed the Google home page.

images (286×176)Then I switched to the Fiddler2 user interface, which basically consists of

  • a Menu+Toolbar on the top,
  • a Session List on the left,
  • a Request Pane (with two rows of tabs) on the top right,
  • and a Response Pane (again with two rows of tabs) on the bottom right.

In the Request Pane, I selected the Inspectors tab on the top row, then the Raw tab on the bottom row.

The Request Content then showed something like these request header lines at the top:

GET http://google.com/ HTTP/1.1
Host: google.com
Proxy-Connection: keep-alive
Proxy-Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

That included the full authentication information for getting through the proxy in the line starting with “Proxy-Authorization: Basic

Decoding basic authentication

Basic authentication is very insecure, but also very practical. It contains a base64 encoded string of the form username:password

You should never use a semicolon in a username or password: lots of web software barfs on that.

A small Java example on how to do basic base64 encoded HTTP request is here.

I thought I found a simple way for base64 decoding: just grab the text after the “Proxy-Authorization: Basic” (in this case the string “dXNlcm5hbWU6cGFzc3dvcmQ=”) then go to a site like base64Decode.org, paste it and hit the “Decode” button.

You will get the plain text, which for this example is “username:password”. If that matches with the username and password you entered, then you know that Fiddler captured the right session.

Well, Fiddler has a built-in tool for this:

  1. Go to the menu “Tools”
  2. Choose “TextWizard”
  3. Enter your plain text
  4. Choose “From Base64” on the left
  5. View the decoded text

How simple is that (:

Encoding basic authentication

If your corporate proxy password or username ever changes, then you need to encode those into base64.

Initially I wanted to do my standard way of this:

But the TextWizard of Fiddler – which has been there almost forever – of course also understands the “To Base64” option (:

Inserting the basic authentication into every request to the proxy

This was the original aim of the article: not having to enter the proxy information so that applications not handling them properly (like DropBox) will still function.

This part will show you that Fiddler2 is much more than a proxy. It is a versatile tool that allows you to modify the HTTP requess and responses as well using a JavaScript based engine.

There even is a Fiddler Script Editor add-on that allows you to insert Fiddler specific code.

The whole idea is that you want Fiddler to insert this line into every request if it is not already there:

Proxy-Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Basically, there are two ways for this, and for both you start here:

  1. Go to the menu “Rules”
  2. Select “Customize Rules”
  3. An editor pops up with the file “CustomRules.js” file
  4. In that file search for the function “OnBeforeRequest”
  5. Enter one of the two code fragments into that function.
  6. Save the file.
  7. Fiddler2 beeps to indicate it has reparsed that file (and comes up with a messagebox indicating error information if the file contains errors).

The first fragment is really simple: it always forces the same proxy authentication:

oSession.oRequest["Proxy-Authorization"] = "Basic dXNlcm5hbWU6cGFzc3dvcmQ=";

Note that the single line in the header now is split across a key and a value.

The second frament is a bit more complex: it only inserts the proxy authentication if it was not already there.

var proxyAuthorization = "Proxy-Authorization";
if (!oSession.oRequest.headers.Exists(proxyAuthorization))
{
    var base64Encoded = "dXNlcm5hbWU6cGFzc3dvcmQ=";
    var basicAuthentication = "Basic " + base64Encoded;
    oSession.oRequest.headers.Add(proxyAuthorization, basicAuthentication);
}

I use the second fragment just in case I have a program wanting to use a different authentication through the proxy.

PS: more cool Fiddler stuff

Eric Lawrence (the Fiddler author) has written numerous interesting Fiddler articles. For instance this one.

–jeroen

via: I code and code: Tutorial: How to use Dropbox behind a corporate proxy server using CNTLM.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: