the Chromium logo

The Chromium Projects

Secure Web Proxy


A secure web proxy is a web proxy that the browser communicates with via SSL, as opposed to clear text. In insecure public networks, such as airports or cafes, browsing over HTTP may leave the user vulnerable to cookie stealing, session hijacking or worse. A secure web proxy can add a significant layer of defense in these cases.

Using a Secure Web Proxy with Chrome

To make use of a secure web proxy, Chrome needs to be configured to use a proxy auto-config file which specify the HTTPS proxy type. For example:

 function FindProxyForURL(url, host) { return "HTTPS"; }

This pac file can be specified by starting Chrome with the --proxy-pac-url=... command line argument, or through the settings dialog. Please be aware that other browser do not support the HTTPS proxy type in a .pac file, so modifying the system-wide proxy configuration to use such a .pac file might be inadvisable.

Alternatively, a secure web proxy can be specified by using the --proxy-server=https://<proxy>:<port> command line argument. For example:

 chrome --proxy-server=

Since the communication between Chrome and the proxy uses SSL, next protocol negotiation will be used. If the servers supports HTTP/2, then the proxy will act as an HTTP/2 Proxy.

Running a Secure Web Proxy

While all the details of running a secure web proxy are out of scope for this document, here are two suggestions. If you are already running a web proxy, you use stunnel to convert it into a secure web proxy. For example:

**```none stunnel -f -d 443 -r localhost:8080 -p cert.pem

**This would cause stunnel to listen for SSL connections on port 443 and send
any HTTP requests to the web proxy running on port 8080.**

**Alternatively, the popular proxy program Squid appears to offer support for
running as a secure web proxy via the [https_port

## **Debugging Certificate Errors**

Debugging certificate errors for a secure web proxy [may be
because the certificate information is not readily visible. Certificate
information is captured in NetLogs (capture with chrome://net-export, view with
<>). Alternatively, without the proxy
configured, navigate directly to the proxy's endpoint (e.g.
<>) in a new tab and you'll get the typical
certificate error experience shown for server certificate errors. After that
page works without error, reconfigure the secure web proxy.