Can Proxy insert headers to a HTTPS request?

Question

I am trying to insert a header on all HTTPS requests that passes my proxy server.

I read that HTTPS request headers can not be tampered with.

Is there any way that I can insert a header on HTTPS requests?

Answer 1

Only if the proxy is the endpoint of the TLS connection with the client (i.e. the proxy decrypts the requests). Otherwise it won't actually see any HTTP headers at all, just TCP sessions containing encrypted data.

It is common for a reverse proxy local to the web server(s) to terminate TLS connections for performance - the Web server can dedicate more resources to serving applications because it doesn't need to spend CPU cycles on de/encryption.

If you do this, your server certificate must identify the proxy server, not the web server. Otherwise clients will get a warning about the identity of the server differing from the certificate identity.

If you don't control or trust the infrastructure between the proxy and your server you could re-encrypt the ongoing requests.

Answer 2

Unless you are willing to terminate the SSL connection on your proxy, no you can't. This is one of the main goals of SSL. The data and that includes the headers are encrypted from the client to the server.

If you decide to terminate / intercept the SSL connection on your proxy, the clients will get a warning in their browsers. If you are in charge of all the browsers of all the clients you would be able to install a custom certificate and the clients wouldn't get warned anymore.