Community discussions

MikroTik App
 
Redmor
Member Candidate
Member Candidate
Topic Author
Posts: 251
Joined: Wed May 31, 2017 7:40 pm
Location: Italy

Block HTTPS sites

Sat Jun 30, 2018 5:54 pm

Hello,

I have to block HTTPS connection for costumers that don't pay and redirect every connection to a page that says "You forgot to pay this month" and other things.
How can I do that?
ImageImage
 
R1CH
Forum Veteran
Forum Veteran
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Block HTTPS sites

Sat Jun 30, 2018 6:18 pm

Blocking is possible, redirecting is not as it would require breaking HTTPS security. Simply drop outbound TCP/UDP port 443.
 
Sayrax
just joined
Posts: 24
Joined: Mon Jun 26, 2017 4:44 pm
Location: Kharkiv
Contact:

Re: Block HTTPS sites

Sun Jul 01, 2018 12:08 am

Create group in address list and move customers(who not pay) to this group. In firewall do "redirect" to you web-server with message "Pay for services" .
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 696
Joined: Fri Nov 10, 2017 8:19 am

Re: Block HTTPS sites

Sun Jul 01, 2018 3:35 am

Just 2 cents from me: Firewall feature you are looking for is called TLS-Host: https://youtu.be/XkKj9rj4quQ?t=28m44s
That will allow your firewall to get proper traffic for dropping.
In terms of redirecting, I don't think it is going to work. If the server is using HSTS, browsers will simply refuse to connect and will not even offer the button to overcome famous "connection not secure" message
 
alli
newbie
Posts: 35
Joined: Tue Jan 24, 2017 5:43 pm

Re: Block HTTPS sites

Sun Jul 01, 2018 11:30 am

Hello,

I have to block HTTPS connection for costumers that don't pay and redirect every connection to a page that says "You forgot to pay this month" and other things.
How can I do that?

You can't redirect HTTPS, because when browser try to connect to a HTTPS site for example https://facebook.com it first get and check the provided certificate to be valid and signed by a root CA for requested domain, which practically no one can obtain it other than facebook. If you provide a self signed certificate browser consider it a MITM attack and warn the user.
 
rfritz80
just joined
Posts: 24
Joined: Wed Jan 17, 2018 9:17 pm

Re: Block HTTPS sites

Wed Jul 04, 2018 3:41 am

Create group in address list and move customers(who not pay) to this group. In firewall do "redirect" to you web-server with message "Pay for services" .
Could you give an example of how to do this and create the group and how to redirect them. Would be very appreciated. Thanks.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 928
Joined: Sun Oct 01, 2006 11:44 pm

Re: Block HTTPS sites

Wed Jul 04, 2018 2:56 pm

Please listen to the people saying this is not possible. If anyone could redirect HTTPS, what's to stop anyone on the internet doing that to google or a banking website? Redirecting HTTPS is only possible if you also own all the client devices and have installed a MITM root certificate into the OS. If you try to do it anyway, you will cause users to see security errors in their browser.

If you tell your users to ignore the error, you are training them in the worst possible way as when a legitimate error happens they will happily ignore it and end up with all their data stolen (example). As an ISP you hold a certain amount of responsibility as users will generally believe you to be more technically competent than themselves, don't abuse that by trying to do bullshit things like HTTPS interception.

The correct solution for this use case is to redirect all DNS and HTTP connections to a local site and block internet access. Modern operating systems and phones will recognize this as a captive portal situation and direct the user to the desired page.
 
rfritz80
just joined
Posts: 24
Joined: Wed Jan 17, 2018 9:17 pm

Re: Block HTTPS sites

Wed Jul 04, 2018 9:28 pm

Please listen to the people saying this is not possible. If anyone could redirect HTTPS, what's to stop anyone on the internet doing that to google or a banking website? Redirecting HTTPS is only possible if you also own all the client devices and have installed a MITM root certificate into the OS. If you try to do it anyway, you will cause users to see security errors in their browser.

If you tell your users to ignore the error, you are training them in the worst possible way as when a legitimate error happens they will happily ignore it and end up with all their data stolen (example). As an ISP you hold a certain amount of responsibility as users will generally believe you to be more technically competent than themselves, don't abuse that by trying to do bullshit things like HTTPS interception.

The correct solution for this use case is to redirect all DNS and HTTP connections to a local site and block internet access. Modern operating systems and phones will recognize this as a captive portal situation and direct the user to the desired page.
Sorry about the confusion, I am not asking to or how to block HTTPS, I am asking how can I redirect customers on my network to a website for customers that forgot to pay their monthly payments. Typically this can be done with http, but I am unsure about the procedure on how to create it.
 
Redmor
Member Candidate
Member Candidate
Topic Author
Posts: 251
Joined: Wed May 31, 2017 7:40 pm
Location: Italy

Re: Block HTTPS sites

Thu Jul 12, 2018 2:42 pm

Please listen to the people saying this is not possible. If anyone could redirect HTTPS, what's to stop anyone on the internet doing that to google or a banking website? Redirecting HTTPS is only possible if you also own all the client devices and have installed a MITM root certificate into the OS. If you try to do it anyway, you will cause users to see security errors in their browser.

If you tell your users to ignore the error, you are training them in the worst possible way as when a legitimate error happens they will happily ignore it and end up with all their data stolen (example). As an ISP you hold a certain amount of responsibility as users will generally believe you to be more technically competent than themselves, don't abuse that by trying to do bullshit things like HTTPS interception.

The correct solution for this use case is to redirect all DNS and HTTP connections to a local site and block internet access. Modern operating systems and phones will recognize this as a captive portal situation and direct the user to the desired page.
I was looking for the same thing but I think it's impossible to redirect HTTPS.

Sorry about the confusion, I am not asking to or how to block HTTPS, I am asking how can I redirect customers on my network to a website for customers that forgot to pay their monthly payments. Typically this can be done with http, but I am unsure about the procedure on how to create it.
ImageImage
 
dcwifi
just joined
Posts: 23
Joined: Thu Jan 21, 2010 7:35 am

Re: Block HTTPS sites

Thu Jul 12, 2018 3:15 pm

Create a hotspot for that network, edit the login.html with message "Pay for services".

If they paid - disabled the hotspot
If they don't paid - enable the hotspot, it will redirect them.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6782
Joined: Mon Jun 08, 2015 12:09 pm

Re: Block HTTPS sites

Thu Jul 12, 2018 3:16 pm

There is no use in going on and on about this. It cannot be done. Period.
You can only block all network access for customers that do not pay. You cannot show them a page.
Live with it.
 
reinerotto
Member
Member
Posts: 442
Joined: Thu Dec 04, 2008 2:35 am

Re: Block HTTPS sites

Thu Jul 12, 2018 10:21 pm

R1CH had the best proposal: Fake a Captive Portal. Implementation details depend upon your network structure, i.e. using DNS-hijack.
And might not be so simple, though.
However, will work without flaws on http only, but on connecting devices the Captive Portal Detection will be triggered, and you can display your request for $.

Who is online

Users browsing this forum: Baidu [Spider] and 122 guests