zefie/minisrv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

https workaround for bitdefender mitm ssl proxy

Browse Source
This commit is contained in:
zefie
2026-04-23 16:18:07 -04:00
parent 614b4fe5f7
commit 721bb0a6d4
3 changed files with 65 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
zefie_wtvp_minisrv/includes/classes/WTVHTTP.js
View File

@@ -77,10 +77,6 @@ class WTVHTTP {
// configure connection to remote socks proxy
const { SocksProxyAgent }= require('socks-proxy-agent');
options.agent = new SocksProxyAgent("socks://" + (minisrv_config.services[request_type].external_proxy_host || "127.0.0.1") + ":" + minisrv_config.services[request_type].external_proxy_port);
options.agents = {
"http": options.agent,
"https": options.agent
}
} else {
// configure connection to remote http proxy
this.proxy_agent = this.http;
@@ -97,6 +93,24 @@ class WTVHTTP {
options.headers.Connection = 'close'
}
}
if (this.minisrv_config.services[request_type].support_bitdefender_self_signed_proxy) {
try {
const WTVSSL = require('./WTVSSL.js');
const ssl = new WTVSSL();
const bitdefenderCACert = ssl.getBitdefenderCACert();
if (bitdefenderCACert) {
options.ca = [bitdefenderCACert];
// this sucks, but bitdefender's cert is weird and doesn't seem to work properly with Node's TLS implementation
// even when added to the trusted store, so we have to disable rejection of unauthorized certs
// when the Bitdefender CA cert is present. At least this way we can still allow it without
// completely breaking SSL proxying for Bitdefender users.
// This will only trigger on Windows if support_bitdefender_self_signed_proxy is true, and the Bitdefender CA file exists
options.rejectUnauthorized = false;
}
} catch (err) {
console.warn(" * Failed to load Bitdefender CA certificate:", err.message);
}
}
const req = this.proxy_agent.request(options, (res) => {
let total_data = 0;

45
zefie_wtvp_minisrv/includes/classes/WTVSSL.js
View File

@@ -13,6 +13,51 @@ class WTVSSL {
}
return this.wtvshared.fs.readFileSync(caCertFile);
}
derToPem(derBuffer) {
const base64 = derBuffer.toString("base64");
const pem = [
"-----BEGIN CERTIFICATE-----",
base64.match(/.{1,64}/g).join("\n"),
"-----END CERTIFICATE-----"
].join("\n");
return pem;
}
wrapBase664ToPem(text) {;
const pem = [
"-----BEGIN CERTIFICATE-----",
text,
"-----END CERTIFICATE-----"
].join("\n");
return pem;
}
normalizeCert(cert) {
if (Buffer.isBuffer(cert)) {
// assume DER
return this.derToPem(cert);
}
const text = cert.toString().trim();
if (text.includes("BEGIN CERTIFICATE")) {
return text; // already PEM
}
// assume Base64 DER
return this.wrapBase664ToPem(text);
}
getBitdefenderCACert() {
// return the Bitdefender CA cert
if (process.platform !== 'win32') {
return false;
}
const caCertFile = "C:\\Program Files\\Bitdefender\\Bitdefender Security\\mitm_cache\\fake-ca.crt"
if (!this.wtvshared.fs.existsSync(caCertFile)) {
return false;
}
return this.normalizeCert(this.wtvshared.fs.readFileSync(caCertFile));
}
}
module.exports = WTVSSL;

3
zefie_wtvp_minisrv/includes/config.json
View File

@@ -330,7 +330,8 @@
"disallow_no_slash": true,
"handler_module": "WTVHTTP",
"handler_extra_vars": ["http", "sendToClient"],
"allow_self_signed_ssl": true // If true, will allow self-signed SSL certificates via the proxy.
"allow_self_signed_ssl": false, // If true, will allow self-signed SSL certificates via the proxy.
"support_bitdefender_self_signed_proxy": true // If the user has bitdefender installed, it is intercepting SSL connections and re-signing them with its own self-signed certificate. Enabling this will add the Bitdefender certificate to the trusted store for the https service, allowing it to proxy https connections without errors.
},
"proto": {
// ProtoWeb Proxy