2

So I have a privoxy running (on port 8080) on a box acting as a router. My goal is to route all HTTP & HTTPS traffic through privoxy on there. HTTP works with the following command

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

However, it doesn't work for port 443.

To get HTTP to work, I had to set privoxy's config for "accept-intercepted-requests" to be 1. Is there a similar option to intercept HTTPS requests?

I know setting the proxy settings on Firefox works, but it would be easier if the proxy is transparent. Thanks.

1 Answers1

4

A primary purpose of HTTPS is to prevent "man-in-the-middle", which is exactly what a transparent proxy like this is trying to do. To do so, you'd need to have a certificate valid for everything or a system to generate certificates on the fly. In either case you're going to need an internal CA (no already-trusted external one will give you a cert for anything you don't control) and to install that root as trusted in all systems behind the proxy.

Configuration of the browser proxy option will likely be a more reasonable task. It may be possible to do this through some sort of proxy auto-configuration, but I wouldn't be surprised if it's not possible for security reasons (I've never really investigated proxy autoconfig before).

Jeremy M
  • 819
  • 4
  • 10
  • 1
    I thought that is the case, but the proxy does work on Firefox (with HTTPS proxy settings) with no certificate errors. The difference between redirecting ports and settings Firefox's proxy is that Firefox changes the request to IP to the proxy's IP, and it adds the domain name to the GET request. I wonder if doing this is possible with iptables? –  Aug 05 '10 at 18:27
  • 1
    Also, to clarify, it doesn't need to be "transparent" that users can't see they're using a proxy. It just needs to be a no-setup-required thing. –  Aug 05 '10 at 18:28
  • With HTTPS, the difference is if Firefox is set up to use a proxy it knows that it will not have end-to-end security. It may be possible to intercept the traffic itself, but you'll see an initial CONNECT or STARTTLS rather than GET and if any modification to the traffic is attempted the SSL layer will treat it as malicious interference (SSL security warnings). You could pass the traffic unmodified, but that doesn't sound like what you want to do. – Jeremy M Aug 06 '10 at 02:35
  • Hmm, can you tell me how to pass the traffic unmodified? Thanks. –  Aug 07 '10 at 04:12