Community discussions

 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Capture all traffic https with webproxy?

Tue Mar 01, 2016 1:11 pm

Staff good day.
I would like to capture all traffic https que my clients are Accessing inside my LAN. I use web proxy to redirect the port 80 traffic to 8080, and with que I can monitor all web-sites http (port 80) accessed.

I ask:

You can capture (filter) all pages https que my clients access?

Best,
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: Capture all traffic https with webproxy?

Tue Mar 01, 2016 1:31 pm

Hi,

HTTPS uses port 443
The price of your knowledge which you have to pay is to share it with others !!
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: Capture all traffic https with webproxy?

Tue Mar 01, 2016 3:37 pm

Hi,

HTTPS uses port 443
Yes friend, that I know, just wanted to know how I filter input all information the of internet into my web proxy in https?

See, I have my web proxy enabled on port 8080 and I'm redirecting traffic from port 80 to 8080 and in this way I can capture all the browsed pages.

add action=redirect chain=dstnat comment="MK Web Proxy transparent" dst-port=80 protocol=tcp to-ports=8080

My doubt is:

How can I capture all browsed pages including https requests?

It is possible to make a redirect on port 433 to 8080 (webproxy?)
 
jlvillal
just joined
Posts: 11
Joined: Sun Feb 28, 2016 7:44 pm
Location: Portland, Oregon, USA

Re: Capture all traffic https with webproxy?

Tue Mar 01, 2016 5:41 pm

I don't believe this will work, unless all the clients have been setup to trust a custom Certificate Authority. In that case you could theoretically setup something like Squid to contact the real site and then dynamically re-encrypt the content and sign it with the custom Certificate Authority.

I'm not sure the details but you could google Squid and HTTPS
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: Capture all traffic https with webproxy?

Tue Mar 01, 2016 7:42 pm

I don't believe this will work, unless all the clients have been setup to trust a custom Certificate Authority. In that case you could theoretically setup something like Squid to contact the real site and then dynamically re-encrypt the content and sign it with the custom Certificate Authority.

I'm not sure the details but you could google Squid and HTTPS

You mean I have to implant a squid server in parallel with rb?
 
jlvillal
just joined
Posts: 11
Joined: Sun Feb 28, 2016 7:44 pm
Location: Portland, Oregon, USA

Re: Capture all traffic https with webproxy?

Tue Mar 01, 2016 8:01 pm

You mean I have to implant a squid server in parallel with rb?
That I don't know. I don't know enough about the RouterBoard to know what it can do as an HTTPS proxy server.
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: Capture all traffic https with webproxy?

Wed Mar 02, 2016 10:54 am

I think it's better to run an independent proxy sever then redirect your traffic to it
The price of your knowledge which you have to pay is to share it with others !!
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: Capture all traffic https with webproxy?

Thu Mar 03, 2016 2:18 am

I think it's better to run an independent proxy sever then redirect your traffic to it

Ok man, thank you!
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: Capture all traffic https with webproxy?

Thu Mar 03, 2016 5:01 am

Just forgot to say you may be able to remove ROS from RB and install a light weight linux distro on your miktorik device and set it up to running as https server,
Just an idea but not sure
The price of your knowledge which you have to pay is to share it with others !!
 
User avatar
czolo
Member
Member
Posts: 418
Joined: Fri Mar 04, 2005 9:49 am
Location: Poland (Warsaw)
Contact:

Re: Capture all traffic https with webproxy?

Sun Mar 06, 2016 1:07 am

Mikrotik can be transparent proxy, but you have to manually configure your web browser to use it. You can't redirect https connection with firewall to any squid or similiar proxy, because https use end to end encryption.
| --= Czo|_o =--
| http://wifi4eu.pl
| Innovation in WiFi
 
User avatar
marcelofares
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Tue Mar 03, 2015 2:26 pm

Re: Capture all traffic https with webproxy?

Sun Mar 06, 2016 10:02 pm

Mikrotik can be transparent proxy, but you have to manually configure your web browser to use it. You can't redirect https connection with firewall to any squid or similiar proxy, because https use end to end encryption.
You mean that you must configure manually each client for https filter work?
 
User avatar
czolo
Member
Member
Posts: 418
Joined: Fri Mar 04, 2005 9:49 am
Location: Poland (Warsaw)
Contact:

Re: Capture all traffic https with webproxy?

Sun Mar 06, 2016 10:35 pm

Yes
Here is example for Firefox web browser:
http://www.wikihow.com/Enter-Proxy-Settings-in-Firefox
| --= Czo|_o =--
| http://wifi4eu.pl
| Innovation in WiFi
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: Capture all traffic https with webproxy?

Mon Jan 22, 2018 4:14 pm

I was just struggling how to block HTTPS social sites in my small network, and I think I found a solution, at least it works here. Maybe not in 100% as I would wish, but it some how works.

1. Setting up a list of disallowed websites (let's call it 'social'). As I am located in Poland, I have to restrict .com and .pl address of i.e. facebook site:
/ip firewall address-list
add address=facebook.com list=social
add address=facebook.pl list=social
add address=www.facebook.com list=social
add address=www.facebook.pl list=social

2. Now set up redirection of HTTP (tcp 80) and HTTPS (tcp 443) to our proxy:
/ip firewall nat
add action=redirect chain=dstnat comment=Proxy dst-address-list=social dst-port=80,443 protocol=tcp to-ports=8080

3. Now let's enable our web proxy on port 8080 (unfortunately export gives almost nothing, so here is a print of my settings):
/ip proxy print 
                 enabled: yes
             src-address: ::
                    port: 8080
               anonymous: yes
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: webmaster
          max-cache-size: none
   max-cache-object-size: 2048KiB
           cache-on-disk: no
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
              cache-path: web-proxy

4. Now we have to set up general rule that will deny access to our sites:
/ip proxy access add action=deny

Additionally, you can also set up a list of addresses alowed (let's call it admin) to browse these sites anyway, so your NAT rule will look like:
/ip firewall nat
add action=redirect chain=dstnat comment=Proxy dst-address-list=social dst-port=80,443 protocol=tcp src-address-list=!admin to-ports=8080

I waswondering if there is any easier way to block these site, while giving other the access? Of course, it doesn't have to be facebook, but any other site that you some may have and some may don'thave access.
 
prawira67
just joined
Posts: 1
Joined: Tue Sep 18, 2018 4:46 am

Re: Capture all traffic https with webproxy?

Tue Sep 18, 2018 5:01 am

hi all,

i follow the instruction made by matiaszon but still no luck.
i made proxy access deny with redirect.
the deny page still accessible and the redirect page never opened.
/ip firewall nat
add action=redirect chain=dstnat dst-port=80,443 protocol=tcp to-ports=8000
add action=masquerade chain=srcnat out-interface=ether13
/ip proxy
set anonymous=yes enabled=yes max-cache-size=none port=8000
/ip proxy access
add action=deny dst-host=*.youtube.com redirect-to=www.google.com
what could be wrong ?

thank you

P

Who is online

Users browsing this forum: No registered users and 119 guests