Mikrotik with Hotspot and external proxy
RouterOS general discussion

9 posts   •   Page 1 of 1
User avatar
humbertosartini
just joined
 
Posts: 6
Joined: Thu Apr 12, 2012 4:07 pm

Mikrotik with Hotspot and external proxy

by humbertosartini » Thu Jul 05, 2012 3:20 pm

Hi all!

I have the below topology (file attached) that has this functionalities:
- DHCP Server works well
- Hotspot works well
- HTTP Proxy (only HTTP) works well
- HTTPS PROXY doesn´t work :-(

All clients "ping" proxy, but when i´ll open a https sites don´t work. If I configure proxy server manually (172.31.252.5:3128) work well. How can I do to access HTTPS site ?

Thanks,
Attachments
topology.png
Topology
topology.png (22.15 KiB) Viewed 943 times

Feklar
Forum Guru
Forum Guru
 
Posts: 1421
Joined: Wed Dec 02, 2009 12:46 am

Re: Mikrotik with Hotspot and external proxy

by Feklar » Thu Jul 05, 2012 6:09 pm

Unless the client is specifically configured to use a proxy, HTTPS will not work. You cannot do transparent proxies with HTTPS, if you could that would make HTTPS very insecure.

User avatar
humbertosartini
just joined
 
Posts: 6
Joined: Thu Apr 12, 2012 4:07 pm

Re: Mikrotik with Hotspot and external proxy

by humbertosartini » Thu Jul 05, 2012 7:46 pm

Feklar,

Thanks for information.
But, i tried to use dsnnat rules, like this:

[admin@] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0
1 chain=dstnat action=dst-nat to-addresses=IP_PROXY to-ports=3128 protocol=tcp in-interface=vlan1 dst-port=80,443

Is this rule correct? Is it possible to work this way?

Feklar
Forum Guru
Forum Guru
 
Posts: 1421
Joined: Wed Dec 02, 2009 12:46 am

Re: Mikrotik with Hotspot and external proxy

by Feklar » Thu Jul 05, 2012 7:54 pm

That rule is correct to try and make a transparent proxy, and it will work fine for HTTP, but it will not work for HTTPS. There is nothing that you can really do to make it work for HTTPS transparently, you are becoming a man-in-the-middle by trying to do so, and HTTPS won't allow it. It's not a matter of the correct firewall rules, it's a matter of security and the way the protocol is setup.

User avatar
humbertosartini
just joined
 
Posts: 6
Joined: Thu Apr 12, 2012 4:07 pm

Re: Mikrotik with Hotspot and external proxy

by humbertosartini » Thu Jul 05, 2012 8:00 pm

Feklar

Thanks again. If I enable Web-Proxy and redirect only HTTPS traffic for it, this method will work?

Feklar
Forum Guru
Forum Guru
 
Posts: 1421
Joined: Wed Dec 02, 2009 12:46 am

Re: Mikrotik with Hotspot and external proxy

by Feklar » Thu Jul 05, 2012 8:53 pm

I'm not sure how many different ways this can be stated and how clearer I could have made it in the last posts. It is impossible to redirect HTTPS to a transparent proxy and have it work. There is no combination of firewall rules, filter rules, or proxy configuration to make it work. You asking the same question in different ways will only net the same answer to your question.

The 'S' in HTTPS stands for 'secure'. If you are able to transparently redirect and proxy/filter/see into that secure connection, it's not very secure now is it? The whole point of it is the data is encrypted from the client to the server, and that nothing should be able to intercept it and read it without the clients permission. If that security is not in place, then the connection is broken since the data cannot be trusted.

peson
Member Candidate
Member Candidate
 
Posts: 148
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: Mikrotik with Hotspot and external proxy

by peson » Fri Jul 06, 2012 1:48 am

humbertosartini wrote:[admin@] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0
1 chain=dstnat action=dst-nat to-addresses=IP_PROXY to-ports=3128 protocol=tcp in-interface=vlan1 dst-port=80,443

Is this rule correct? Is it possible to work this way?


No, the rule is incorrect due to that redirection of the HTTPS (443) traffic cannot be done as Feklar says.
So if you remove the 443 in dst-port the HTTPS traffic will work, not via the proxy but directly to the HTTPS host.

User avatar
humbertosartini
just joined
 
Posts: 6
Joined: Thu Apr 12, 2012 4:07 pm

Re: Mikrotik with Hotspot and external proxy

by humbertosartini » Fri Jul 06, 2012 3:04 am

Hi Peson,

Thanks for help. For me don't make sense that Mikrotik did not be capable to redirect HTTPS traffic because there are many other ways to block "Man-in-the-middle". In this case if I want to access HTTPS sites it is necessary to use WebProxy :-(

dotun911
just joined
 
Posts: 1
Joined: Wed Jul 18, 2012 1:02 am

Re: Mikrotik with Hotspot and external proxy

by dotun911 » Wed Jul 18, 2012 1:07 am

This is really really sad.i have the same issue and cant redirect to http to https with webproxy.

9 posts   •   Page 1 of 1

Who is online

Users browsing this forum: 49er, Bing [Bot], chaf84, Google [Bot] and 63 guests

It is currently Wed Nov 26, 2014 12:51 pm