Redirect HTTPS nicely

bonnecomm · December 7, 2021, 10:56pm

I have client addresses mapped to 172.20.100.0/22. Every now and again, I want to redirect them, one at a time, to a server where they’ll be asked to update their information. That server is at 172.21.100.4
As an example, I have
/ip firewall nat chain=dstnat src-address=172.20.100.8 action=dst-nat to-addresses=172.21.100.4 protocol=tcp dst-port=80,443

This mostly works. But in the browser, if I go to say https://bing.com, I get an invalid certificate error which makes sense since the certificate is for the server at 172.21.100.4 and not for bing.com and FireFox for one does not allow me to proceed at all. Some other browsers do but it’s very messy. I’d like to make it cleaner, to just get to the site. Any suggestions?

sid5632 · December 7, 2021, 11:03pm

You can’t redirect HTTPS ‘nicely’. That’s the whole point of it. It tells you when something dodgy is going on.

Sob · December 7, 2021, 11:34pm

Look at it from the other side, do you want someone else to have ability to hijack your connection and redirect it to different server? For example when accessing your bank? The answer is no. You may not need it for something bad, but others surely would. So that’s exactly what https prevents, and no exception exists, because it would be abused. There’s no clean way how to redirect https. Closest to it would be what hotspot does. It also tries to do MITM, but in a way that browser or OS should detect it and redirect user to login page.