Redirect hotspot to SSL (No, really)

Dimencia · November 18, 2016, 1:32am

I’ve seen half a dozen threads about this but none of them fully cover the topic. TLDR the main goal here is for a guest to be redirected to our external, secured portal page when they type in any web address, including sites secured with SSL. Each of these threads ends up with someone claiming this is how SSL works, and there’s no workaround, but that’s not necessarily correct. Browsers using SSL will allow a redirect from one https page to a different one, if both have valid security certificates. That means that if a guest tries https://google.com and we redirect to https://myportalpage.com, it should successfully redirect.

The problem, in a Mikrotik, is that the user is not sent to https://myportalpage.com, they’re sent to 192.168.10.1/redirect.html which THEN sends them to the portal page.
Now we’re getting to the real problem. As explained in other threads about this issue, you can put a certificate on the Mikrotik and secure it, but a cert pointing to a local IP is not going to be trusted and will throw up errors.

So, the real question. Is there any way to have the Mikrotik’s hotspot redirect you to anything other than its internal HTML files, initially, for a hotspot? I’m not talking about editing one of these files to then redirect again; the issue is the redirect to the non-secure local IP address of the Mikrotik’s files on disk. Where is this first redirect handled? Is there anywhere I can tinker with it?

So far, I’m seeing that Mangle and NAT create dynamic rules when the hotspot is enabled that redirects to certain ports when an unauthed user tries to get online, and I assume it serves an HTML file out when it accepts something on that port for some reason. But I also see that you can dst-nat and redirect a request to an external IP. My thought was that I could add mangle/nat rules to override the built in hotspot and redirect. I need to redirect to an external URL, though; something like https://myportalpage.com/hsia/PROPID . How might I go about doing this, when it only allows IP redirect?

andriys · November 18, 2016, 8:08am

Correct.

Wrong! The problem is your browser always checks certificate before HTTPS redirect becomes possible. And in your example you will need a valid certificate for google.com to redirect your guests trying to access https://google.com/ to whatever page you want.

Dimencia · November 18, 2016, 11:37pm

Alright, that makes sense. All I know is that our Nomadix gateways are capable of HTTPS redirects from all pages; their user guide claims they “add a security exception to the user’s browser to allow the certificate received to be always ‘valid’”, which sounds like an exploit but … if it works, it works. So I was hoping to find some way to get a Mikrotik to do it as well.
I found out how to redirect to a URL using the mikrotik’s proxy, but it of course still will not reliably allow redirection from https, so the issue is not necessarily because of the unsecured local files on the Mikrotik.

With that in mind, though, one of my laptops here is actually able to redirect from any https site except google, youtube, or facebook. All others seem to redirect without problems, though, like yahoo; how might this be happening, and how could we get other machines to do it? This is using Chrome, which generally has problems with redirecting.