HTTPS traffic redirect problem

kurifat · November 14, 2017, 7:13pm

How to redirect all HTTPS traffic Webproxy? Please give me a solution.

Sayrax · November 15, 2017, 9:00pm

Do you use a web-proxy on mikrotik or a third-party server?

normis · November 16, 2017, 7:22am

You can’t transparently redirect https traffic to proxy, without the user getting certificate issues.

Jotne · November 16, 2017, 10:12am

Not 100% correctly

At our work we uses Forcepoint to block unwanted traffic.

Here how it works.

You need a local installed certificate from Forcepoint
You try to open an https site.
WCCP (web redirecting proxy) see that you are coming form at destination that we like to inspect, sends it to Forcepoint
Forcepoint strips of https certificate, looks at were you go and allow/block session. If it allows session it uses the real cert from the site you are visiting.

So at the client site you can see the look is green on the https sites, but if you look at certificate its a spesial created one, not the site cert.

This works fine in most of cases, but if you have application that read https and do not see or understand that you have a local certificate, it will not work. So Browser traffic is ok, but for application, you need exceptions.

There are other vendors that can do this like Check Point
This video explain how it works:
https://www.youtube.com/watch?v=1lJBBRsc03A

reinerotto · November 19, 2017, 4:33pm

Not 100% correct.
squid (open source) can do the same. So, in open Linux environments (also on openwrt/LEDE), this can be done without separate product.

Cha0s · November 20, 2017, 3:09pm

Both methods require to install custom root CA cert on the clients.
There’s is no way to not get browser warnings unless the client installs your certificate. Which is not a very good practice anyway both from security and management point of view.

So not viable for most out there.
Not to mention it’s not very secure to mess with root CAs unless you REALLY know what you are doing, just see the stupidity by Lenovo and others a few years back. Installing a custom root CA cert it’s almost like installing a backdoor.

In closed controlled environments (ie: a company with specific security policy and centralized management - like active directory) this might be a solution.
In others (ie: hotspot) it is most definitely not a solution.

reinerotto · November 20, 2017, 5:03pm

Again, in case you want to filter/log certain hostnames (NOT complete URLs) or IPs, you do NOT need to install the certificate for https.
Exactly, what I did for a special router (openwrt/LEDE) for parental control. Which is an example, that https-filter/logging makes sense. And is legal.

Cha0s · November 20, 2017, 5:21pm

Right… except the fact that OP asked for redirect not blocking or logging…

reinerotto · November 20, 2017, 5:51pm

So sorry, mixed up with this one:

Forcepoint strips of https certificate, looks at were you go and allow/block session. If it allows session it uses the real cert from the site you are visiting.<