I've just had one of those 'little moments' where I've realised something I thought was true is not.
I thought that proxying HTTPS could not be done.
But it can, Under specific circumstances. Basically, If you choose to trust the proxy and allow it.
Our work does. I noticed this when testing my home HTTPS webmail from work.
Our work proxies everything through an cloud-based outfit called Zscaler.
Visiting my HTTPS site normally shows the expected cert chain of:
DST Root CA x3 -> Lets Encrypt Authority X3 -> My HTTPS server.
But visiting it from work, I see:
Zscaler Root CA -> Zscaler Intermediate CA -> My HTTPS server.
WTF?
That's a broken path! That can't work!
Then I realised that the 'My HTTPS server' cert I see here is *not* the one I serve up.
It's spoofed.
Zscaler run their own self-signed CA, and issue spoofed certs for the target website.
Normally, no CA would issue certs to people who did not control the domains, so this would not work because no-one would trust a CA that issues spoofed certs willy-nilly.
To make this work, corporate IT have inserted the Zscaler root CA cert as a Trusted Root Cert on all corporate PCs via Domain Policy, so the spoofed certs are accepted!
So the connection is encrypted from my PC to Zscaler using their spoofed cert, passes through them in plaintext, and is then forwarded on a second encrypted hop to my server using my genuine cert.
So yes, a man-in-the-middle, by design agreement.