Community discussions

MUM Europe 2020
 
Ghassan
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Forward HTTPS & FTP to Web-Proxy

Wed Mar 28, 2007 3:02 am

Hello All,

How can I forward https connection to proxy since I have 3 interfaces .

first interface = Local
2nd interface = ISP-1
3rd interface = ISP2

ISP-1 is for HTTP only that I am using .
ISP-2 is my gateway and it appears that HTTPS are coming from ISP-2 not from my web-proxy .

Another thing is that i want to forward FTP connection to my web-proxy since my Web-Proxy is in Transparent Mode .

Thank you,
Ghassan
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Wed Mar 28, 2007 11:20 am

i doubt that HTTPS can be use with proxy at all.

and transparent FTP is not supported by RouterOS proxy solution
 
Ghassan
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Wed Mar 28, 2007 2:27 pm

Notice that if I put for my client a proxy which is my MT proxy IP , it forwards everything to web-proxy or I get https from the web proxy but if I user is on port 80 he can gets only HTTP port 80 but HTTPS got directly .. they told me that i want to forward my https to web proxy so how can we forward s https to web-proxy .

Thank you,
Ghassan
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5971
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Wed Mar 28, 2007 10:01 pm

https is using port 443. You must redirect port 443 traffic in order to pass https to web-proxy.
 
User avatar
savagedavid
Trainer
Trainer
Posts: 310
Joined: Thu Aug 25, 2005 12:58 pm
Location: Cape Town, South Africa
Contact:

Wed Mar 28, 2007 10:05 pm

If you redirect port 443 it will not actually proxy the request - the proxy will merely pass on the request and not cache it. There is probably no benefit in caching HTTPS. Also how would your users feel knowing that there might be a chance of their secure transactions being cached (even if you know it is not so)?
savagedavid
MTCE+T (MikroTik Certified Everything + Trainer)
MikroTik support and training in South Africa
http://www.mikrotiksa.com
david [at] mikrotiksa dot com
 
Ghassan
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Thu Mar 29, 2007 12:12 am

https is using port 443. You must redirect port 443 traffic in order to pass https to web-proxy.
I already used this rule before I post this topic , i got msn and everything uses SSL down ...

Notice that if I made some settings at our clients or If i put proxy for explorer and passes through local .. surfing gets much better with it but if I left it at normal settings which is default port 80 it will only cache HTTP requests , another thing is do not forget that some pictures and exe files are being downloaded from HTTPS .

What do you think the best solution for HTTPS request and how can we forward it to cache ?
 
Ghassan
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Thu Mar 29, 2007 12:15 am

If you redirect port 443 it will not actually proxy the request - the proxy will merely pass on the request and not cache it. There is probably no benefit in caching HTTPS. Also how would your users feel knowing that there might be a chance of their secure transactions being cached (even if you know it is not so)?
I only want to cache pictures and file extensions that can be downloaded .
 
shielder
Member Candidate
Member Candidate
Posts: 221
Joined: Wed Feb 09, 2005 7:09 pm
Location: Indonesia

Thu Mar 29, 2007 7:06 am

do not try to forward https to proxy, you would have problems with signing in to email or bank account. But for FTP, you could try, but you need to increase the maximum cache size of your proxy
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5971
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Thu Mar 29, 2007 9:44 am

do not try to forward https to proxy, you would have problems with signing in to email or bank account. But for FTP, you could try, but you need to increase the maximum cache size of your proxy
As it was mentioned before MT does not support transparent FTP in v2.9
 
Ghassan
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Thu Mar 29, 2007 12:02 pm

So do you mean that all versions do not support Transparent FTP .

Is there any idea to cache https , actually not all https but only pictures or extensions like exe as it seems that most websites are securing their files by HTTPS .

any solution for FTP !
 
The Grog
just joined
Posts: 10
Joined: Wed Aug 24, 2005 11:27 pm
Location: South Africa

Thu Mar 29, 2007 10:02 pm

For pure security reasons you can't cache HTTPS and for a good reason.

Most secure sites will not accept the connection in the first place and those that do are NOT secure anyway. Please read documention on why it is not suppose to work from squid-cache for example.

It is pretty simple and is due to the man-in-the-middle attacks, making a supposed secure connection insecure. Any proper web proxy server has not implemented this and never will.
 
Ghassan
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Thu Mar 29, 2007 11:42 pm

But if I changed my settings to Transparent Mode = no and apply new settings for clients by putting the same proxy for all protocols : Http , Secure , FTP , Socks ...

after changing , i found some changes with HTTPS , much faster than before ... so i knew that is from cache since you can manage access or filter caching ..
 
User avatar
tplecko
Member Candidate
Member Candidate
Posts: 114
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:

Re: Forward HTTPS & FTP to Web-Proxy

Mon Jun 11, 2007 12:36 pm

What if you only want to deny sites?

We use MT WEB-PROXY only for filtering web content. The problem is that most of the web servers (including my company's) will accept https connections by default wich then bypasses my proxy and the user can visit the forbidden site anyway...

Can this be done?
 
Ghassan
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Re: Forward HTTPS & FTP to Web-Proxy

Tue Jun 12, 2007 3:20 am

What if you only want to deny sites?

We use MT WEB-PROXY only for filtering web content. The problem is that most of the web servers (including my company's) will accept https connections by default wich then bypasses my proxy and the user can visit the forbidden site anyway...

Can this be done?
Anyway , i have finished our servers .. if anyone requested the blocked websites via 80 or 443 then he/she will get a website that shows access denied .

all it was done by blocking websites that are on access-list .

I am glad to help you .

Ghassan.

Who is online

Users browsing this forum: Lifz, marizo, Schlimmerfinger and 114 guests