感觉京东的 https 不是 e2e 的,在中间被劫持了。用 curl 请求的话,会这样:
* Connected to
list.jd.com (42.236.8.129) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 603 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.jd.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=CN,ST=beijing,L=beijing,O=BEIJING JINGDONG SHANGKE INFORMATION TECHNOLOGY CO.\, LTD.,CN=*.jd.com
* start date: Thu, 15 Mar 2018 04:02:02 GMT
* expire date: Tue, 28 Aug 2018 09:42:54 GMT
* issuer: C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization Validation CA - SHA256 - G2
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /list.html?cat=670,12800,12802 HTTP/1.1
> Host:
list.jd.com> authority:
list.jd.com> cache-control: max-age=0
> upgrade-insecure-requests: 1
> user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
> accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
> dnt: 1
> accept-language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.6
> cookie: ipLoc-djd=1-72-4137-0; areaId=1; __jda=122270672.15258484760111185216130.1525848476.1525848476.1525848476.1; __jdc=122270672; __jdv=122270672|direct|-|none|-|1525848476012; 3AB9D23F7A4B3C9B=2CHSSK4AIRJBZHSHVXWZP2IVWEEUGJTGJZU5UIVFZL6X2IPOH2T5OPZDYIP2ZLORI2XMZOYSGEKEU72E6SAB6O54QM; listck=e19706debdda455e4793c3a3a86514ea; __jdu=15258484760111185216130; __jdb=122270672.9.15258484760111185216130|1.1525848476
> if-modified-since: Wed, 09 May 2018 06:50:00 GMT
>
< HTTP/1.1 302 Found
< Server: JDWS/2.0
< Date: Wed, 09 May 2018 07:21:41 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location:
http://p.egou.com/n?k=6JU4gZDFrI6HWlzl1NXH2mLErI6H2mLq6l2SWcLe6Ew7Wn4H6EDmrI6HYQLErnWF1nzm6N27rIW-&t=u=764050&url=http%3A%2F%2Flist.jd.com%2Flist.html%3Fcat%3D670%2C12800%2C12802%26_t_t_t%3D1< Age: 0
< Via: http/1.1 ZZ-UNI-1-JCS-155 ( [cMsSf ])
<
{ [16000 bytes data]
: Wed, 09 May 2018 07:21:41 GMT
Cache-Control: max-age=0
Last-Modified: Wed, 09 May 2018 07:21:45 GMT
Via: BJ-Y-NX-113(MISS)
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<title> 游戏耳机 游戏设备 电脑、办公 [行情 价格 评价 图片] - 京东</title>
<link type="text/css" rel="stylesheet" href="//
misc.360buyimg.com/??jdf/1.0.0/unit/ui-base/5.0.0/ui-base.css,jdf/1.0.0/unit/shortcut/5.0.0/shortcut.css,jdf/1.0.0/unit/global-header/5.0.0/global-header.css,jdf/1.0.0/unit/myjd/5.0.0/myjd.css,jdf/1.0.0/unit/nav/5.0.0/nav.css,jdf/1.0.0/unit/shoppingcart/5.0.0/shoppingcart.css,jdf/1.0.0/unit/global-footer/5.0.0/global-footer.css,jdf/1.0.0/unit/service/5.0.0/service.css">
命令是 curl -v '
https://list.jd.com/list.html?cat=670,12800,12802' -H 'authority:
list.jd.com' -H 'cache-control: max-age=0' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'dnt: 1' -H 'accept-language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.6' -H 'cookie: ipLoc-djd=1-72-4137-0; areaId=1; __jda=122270672.15258484760111185216130.1525848476.1525848476.1525848476.1; __jdc=122270672; __jdv=122270672|direct|-|none|-|1525848476012; 3AB9D23F7A4B3C9B=2CHSSK4AIRJBZHSHVXWZP2IVWEEUGJTGJZU5UIVFZL6X2IPOH2T5OPZDYIP2ZLORI2XMZOYSGEKEU72E6SAB6O54QM; listck=e19706debdda455e4793c3a3a86514ea; __jdu=15258484760111185216130; __jdb=122270672.9.15258484760111185216130|1.1525848476' -H 'if-modified-since: Wed, 09 May 2018 06:50:00 GMT'
大家在 hosts 里把
list.jd.com 设成 42.236.8.129 的话,应该也能重现。