I use MikroTik RouterOS 5.18 with WinBox.
I want to restrict internet access to certain IP adresses.
I currently manage to redirect requests of a certain IP address to a custom webpage, which is hosted by another server of mine.
The problem is that my approach works only if the request is made to a non-secure page and not to a HTTPS one.
So, for instance, if I want to redirect every time a user to my custom webpage from my server, this won’t work if that user access https://www.google.com/ for example.
How should I proceed?
PS. I am new to this, sorry if I miss something, please request any additional information if needed.
Not sure what is supported on v5. On current release I would advise you have a look at hotspot. It redirects http & -s depending on what is allowed. Basically to redirect https, you would need a ssl enabled server with valid / recognised cert (by clients certificate store).
I doubt any solution will let you redirect HTTPS sites without browser giving an invalid certificate warning. ( unless you are able to do some SSL MITM and/or have a wild card certificate for the domain )
Our work does exactly that. Open all HTTPS packets. Inspect all packets for malware etc.
I think there is a whit liste for banks and other, but they can open all.
You need a root certificate on all clients to get it to work, so for normal users, this is not some you does.
In chrome when I do look at the https certificate when I do visit https://google.com, it does show our company name, not google.
You both are talking about different things: @Jotne: this involves wildcard certs installed on client, and allows a proxy to decrypt and verify traffic. It’s indeed used @companies. @R1CH: you’re thinking about taking over an already setup and running ssl session. And that IS NOT what is being asked here.
Redirect as linked earlier happens before tcp is established, and by consequence before ssl session is established. a tcp “new” and following are redirected to a different server presenting a valid cert for that new url. => browser will not show target site but another site, properly signed with correct & valid certificate
And so https redirect can be done cleanly, when done from the first packet. It’s not a session take-over
I’m not talking about a session takeover. In a corporate environment where you can control every device then yes, you can intercept and redirect HTTPS by installing a MITM root cert. However people running a Mikrotik Hotspot are unlikely in such an environment otherwise they would be using EAP / 802.1x for authentication instead of a captive portal, and as such, redirecting / intercepting HTTPS is not possible since you cannot present a valid certificate.
If a TCP connection request for 4.3.2.1:443 (=yourdomain.com) (state=new and all following) is redirected to say 1.2.3.4:443, which is mydomain.com, with a cert validated by root certificate authority for that ip, how can the browser complain about presented data? Explain that to me?
Please don’t confuse EAP with above, it has nothing to do with that.
You can indeed TCP proxy a HTTPS connection, eg force google.com to resolve to 1.2.3.4 and then proxy 1.2.3.4:443 → google.com:443. This does not allow you to redirect or do anything else to it though. If you tried to proxy 1.2.3.4:443 → myhotspot.com:443, the browser would terminate the connection due to a certificate mismatch, since you do not have a valid certificate for google.com.
I dug a bit further into it, and there is no way to tell the HTTPS client to connect to different login url first, what I thought was happening. So what current solutions end up doing is destination natting. That will naturally trigger SSL warning in the browser.
Some browsers, provide a solution here, by trying a http access to well known url, and if redirect to login page happens, present that page to user.
In conclusion, https can not be redirected transparently, but presenting a https login page still does make sense: to protect the credentials and to provide verification of validity to user.