Search squid archive

Re: Proxy https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stun Box wrote:
Hello,

I have a wireless network which gives visitor access through a captive portal.
I am using coovachilli, but it does not ensure protection. (Open
Association & Http)
I am looking for a proxy which can receive a http request
(http://www.google.fr), redirect to https protocol
(https://www.google.fr), do the http request on the internet side,
then get back the web page asked through the https connection to the
client.

In a scheme, it looks like that :

User  => http request => Proxy
User <= https redirect <= Proxy
User => https request => Proxy => http request => website
User <= https response <= Proxy <= http response <= website

Is that possible with squid ?


Not the way you want to do it.

You can happily do steps 1->2, but as soon as the browser starts the HTTPS connection you loose all control over what happens inside the encrypted tunnel.

You cannot configure browsers with WPAD/PAC to connect to the proxy over SSL since none of the common browsers have any kind of SSL-proxy connection features.

You cannot fake being https://example.com since the browser and HTTPS security is created expressly to detect and alert the user to such man-in-middle attacks.

You cannot use the SSLBump feature of 3.1 without causing large visitor annoyance as the alerts on every site they visit (even unencrypted ones!) shows web attacks taking place.

Basically, with the captive portal approach you are forced to accept any kind of internal inputs. The visitor machine is always correct, you have zero control over their machine. All you can do is map insecure internal connections to secure _external_ protocols on the Internet side of the portal. In some cases respond with an informative message saying please do X instead of Y and hope the visitor reads it.

Unless you are in a very high-security environment this should not be an issue. If you are in a high security environment WTF are you doing running a captive portal instead of a blanket security firewall?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
  Current Beta Squid 3.1.0.7

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux