Page 1 of 1

Mikrotik with Hotspot and external proxy

Posted: Thu Jul 05, 2012 3:20 pm
by humbertosartini
Hi all!

I have the below topology (file attached) that has this functionalities:
- DHCP Server works well
- Hotspot works well
- HTTP Proxy (only HTTP) works well
- HTTPS PROXY doesn´t work :-(

All clients "ping" proxy, but when i´ll open a https sites don´t work. If I configure proxy server manually (172.31.252.5:3128) work well. How can I do to access HTTPS site ?

Thanks,

Re: Mikrotik with Hotspot and external proxy

Posted: Thu Jul 05, 2012 6:09 pm
by Feklar
Unless the client is specifically configured to use a proxy, HTTPS will not work. You cannot do transparent proxies with HTTPS, if you could that would make HTTPS very insecure.

Re: Mikrotik with Hotspot and external proxy

Posted: Thu Jul 05, 2012 7:46 pm
by humbertosartini
Feklar,

Thanks for information.
But, i tried to use dsnnat rules, like this:

[admin@] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0
1 chain=dstnat action=dst-nat to-addresses=IP_PROXY to-ports=3128 protocol=tcp in-interface=vlan1 dst-port=80,443

Is this rule correct? Is it possible to work this way?

Re: Mikrotik with Hotspot and external proxy

Posted: Thu Jul 05, 2012 7:54 pm
by Feklar
That rule is correct to try and make a transparent proxy, and it will work fine for HTTP, but it will not work for HTTPS. There is nothing that you can really do to make it work for HTTPS transparently, you are becoming a man-in-the-middle by trying to do so, and HTTPS won't allow it. It's not a matter of the correct firewall rules, it's a matter of security and the way the protocol is setup.

Re: Mikrotik with Hotspot and external proxy

Posted: Thu Jul 05, 2012 8:00 pm
by humbertosartini
Feklar

Thanks again. If I enable Web-Proxy and redirect only HTTPS traffic for it, this method will work?

Re: Mikrotik with Hotspot and external proxy

Posted: Thu Jul 05, 2012 8:53 pm
by Feklar
I'm not sure how many different ways this can be stated and how clearer I could have made it in the last posts. It is impossible to redirect HTTPS to a transparent proxy and have it work. There is no combination of firewall rules, filter rules, or proxy configuration to make it work. You asking the same question in different ways will only net the same answer to your question.

The 'S' in HTTPS stands for 'secure'. If you are able to transparently redirect and proxy/filter/see into that secure connection, it's not very secure now is it? The whole point of it is the data is encrypted from the client to the server, and that nothing should be able to intercept it and read it without the clients permission. If that security is not in place, then the connection is broken since the data cannot be trusted.

Re: Mikrotik with Hotspot and external proxy

Posted: Fri Jul 06, 2012 1:48 am
by peson
[admin@] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0
1 chain=dstnat action=dst-nat to-addresses=IP_PROXY to-ports=3128 protocol=tcp in-interface=vlan1 dst-port=80,443

Is this rule correct? Is it possible to work this way?
No, the rule is incorrect due to that redirection of the HTTPS (443) traffic cannot be done as Feklar says.
So if you remove the 443 in dst-port the HTTPS traffic will work, not via the proxy but directly to the HTTPS host.

Re: Mikrotik with Hotspot and external proxy

Posted: Fri Jul 06, 2012 3:04 am
by humbertosartini
Hi Peson,

Thanks for help. For me don't make sense that Mikrotik did not be capable to redirect HTTPS traffic because there are many other ways to block "Man-in-the-middle". In this case if I want to access HTTPS sites it is necessary to use WebProxy :-(

Re: Mikrotik with Hotspot and external proxy

Posted: Wed Jul 18, 2012 1:07 am
by dotun911
This is really really sad.i have the same issue and cant redirect to http to https with webproxy.