Block https domain with bridge proxy

Arpanet · April 13, 2015, 6:13pm

I put mikrotik bridge after internet gateway and tried with web proxy:

> ip firewall nat print 

 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 
     out-interface=wlan1-gateway 

 1   chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80,8080,443

ip proxy print 
                 enabled: yes
             src-address: 0.0.0.0
                    port: 8080
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: webmaster
          max-cache-size: unlimited
           cache-on-disk: no
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
             cache-drive: system

> ip proxy access print  detail 

 0   dst-address=88.44.63.170 dst-port="" action=deny hits=0 

 1   dst-address=62.211.67.37 dst-port="" action=deny hits=0 

 2   dst-address=82.53.187.74 dst-port="" action=deny hits=0

but I still can access to website.com
where am I going wrong?

thanks

Arpanet · April 14, 2015, 5:08pm

no one?

ZeroByte · April 14, 2015, 5:11pm

You can’t transparently proxy https, unless you can force a trusted CA certificate into all clients and then sign all websites with this certificate.

Mikrotik cannot do such a thing.

Arpanet · April 14, 2015, 5:15pm

so, there’s no way to do this?

ZeroByte · April 14, 2015, 6:57pm

Correct

troffasky · April 14, 2015, 8:14pm

Perhaps with L7 you could look at the CN on the HTTPS certificate?

Arpanet · April 14, 2015, 8:17pm

How?

troffasky · April 14, 2015, 8:51pm

I don’t have the config for you to paste into your router, but L7 filter pretty much greps the first 2KB of each connection:

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

The Client Hello, the certificate exchange and the Server Hello are not encrypted so L7 filter would be able to match these [they each contain the Common Name, ie domain name], however a quick test with Wireshark suggests to me that you’re going to be getting close to the 2KB limit.

asa · April 15, 2015, 1:24pm

/ip proxy access
add action=deny dst-host=*website.com

Works with non-transparent proxy.

I use WPAD to inform clients about network proxy. Never tried with transparent proxying.

asa · April 15, 2015, 1:26pm

If you need to block only certain addresses it’s much easier to use this script:
http://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules