mkrawczuk

<!DOCTYPE html>
<html prefix="og: http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml">
    <head id="ctl00_ctl00_ctl00_head1"><meta charset="utf-8" /><title>
	LP3: za nami 1998 notowanie - Trójka - polskieradio.pl
</title><link rel="preconnect" href="https://mc.yandex.ru" crossorigin="" /><link rel="preconnect" href="https://fonts.gstatic.com" crossorigin="anonymous" /><link rel="preconnect" href="https://fonts.googleapis.com" crossorigin="" /><link rel="preconnect" href="https://ajax.googleapis.com" crossorigin="" /><link rel="preconnect" href="https://www.googletagmanager.com" crossorigin="" /><link rel="dns-prefetch" href="//fonts.googleapis.com" /><link rel="dns-prefetch" href="//static.prsa.pl" /><link rel="dns-prefetch" href="//static.polskieradio.pl" /><link rel="dns-prefetch" href="//cdn.prsa.pl" /><link rel="dns-prefetch" href="//cdn.polskieradio.pl" /><link rel="dns-prefetch" href="//api.polskieradio.pl" /><link rel="dns-prefetch" href="//apipr.polskieradio.pl" /><link rel="dns-prefetch"

mkrawczuk

Use nginx as Non-Transparent SSL Proxy

Introduction

Many mobile apps have back-end API servers. They usually rely on the API replies to determine whether certain information is supposed to be shown. If the API responses could be manipulated on the fly, we may easily fool an unmodified app to expose some private data.

This manual guides you to set up nginx as non-transparent SSL proxy, which just subsitutes strings in the server responses (i.e. man-in-the-middle attack ourself). For both server-side (their API servers) and client-side (your device), the whole process is almost transparent.