8

I've been searching for many hours now about a way to setup a transparent proxy for SSL (not Squid). The general answer is that I can't, but I know there are some ways, though. My purpose is only the following:

  1. Blacklist/whitelist domain names (not IP numbers). Content won't be filtered or modified at all.
  2. Force users through these lists. If I modify such settings in the web browsers, they can just undo it.

The following page tells I could pass the traffic unmodified, but it doesn't say how: iptables https transparent proxy with privoxy?

The following page shows an iptables rule for 443 which I myself couldn't get to work: http://alien.slackbook.org/dokuwiki/doku.php?id=slackware:proxy

The following page tells how to get this to work only with Squid: http://www.rahulpahade.com/content/squid-transparent-proxy-over-ssl-https

EDIT: One person says here: How do I use IPTABLES to create a HTTPS (443) passthrough around Squid? "The best thing for you to do is to block direct access to port 443 and tell your users that if they want to use HTTPS, they must configure their browser to use the proxy." But I just know how to block 443 completely, not to make it work under a proxy then.

Community
  • 1
admirabilis
  • 1,525
  • 3
  • 10
  • 10

4 Answers4

7

If you want to filter on domain names, you have two possible ways: you could take the name from the CONNECT method issued by the client if it knows that it has to use a proxy for HTTPS conenctions and filter on that one (Squids supports that BTW). Or, if you really really need to do it transparently, you would need to look into the (encrypted) request headers.

If you want to see encrypted request headers, you need to have a key. If you want to have a key, you need a certificate which is a) trusted by the client to be the "correct" certificate and b) certifies every possible host (wildcard-everything).

So what you would need to do is

  1. set up a certificate for your proxy. It depends on your software how to do that - you might use stunnel to terminate the SSL connection at the proxy's side, have some filtering HTTP proxy behind it and re-establish SSL for all outgoing traffic using iptables DNAT targets and stunnel again. There might be "boxed" solutions for MitM SSL proxying as well.
  2. install the aforementioned certificate on all of your clients that are going use the proxy

Mostly, if you need transparent proxying it is because you do not want or cannot reconfigure the clients to use the proxy. If this is the case with your request as well, you probably would not have the option to install certificates on clients and mark them as "trusted". So even though there is a technical way for transparent SSL proxying, I suspect not much will be won for you.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • This was enough to make it very clear to me the facts about transparent proxies. Thank you! – admirabilis Jun 17 '11 at 03:01
  • How do you "... take the name from the CONNECT method issued by the client if it knows that it has to use a proxy for HTTPS conenctions and filter on that one"? – Big McLargeHuge May 22 '13 at 19:51
  • @davidkennedy85 with Squid pretty much the same way as you would filter for other access methods - just use the ACLs. Example: http://servercomputing.blogspot.de/2012/01/block-facebook-in-squid-proxy-server.html – the-wabbit May 22 '13 at 21:01
  • Your explanation is mostly undertandable; I learned a lot. Thanks. One think I have doubt on is that the hostname (domain name) is known to anyone monitoring the traffic. http://security.stackexchange.com/questions/2914/can-my-company-see-what-https-sites-i-went-to – Albert Netymk Dec 12 '15 at 17:01
4

I know this is an old question, but if the OP only wants to blacklist/whitelist certain domain names, they don't have to use a proxy at all, they could just use a DNS based blacklist.

  • setup your onsite DNS servers to return 127.0.0.1 for any domain you want to blacklist
  • at your internet gateway block all IPs except your DNS servers from accessing TCP/UDP ports 53, so only your DNS servers can make DNS requests from internet based servers.

Any other domain will be allowed. All web traffic SSL or otherwise will pass through the gateway unchanged.

Edit: Seeing as the OP is prepared to force users through his lists, he can block other methods of accessing DNS. This way, if the user tries to use one of those other DNS methods that are blocked, the websites just will not work. aka 'My way or the highway'

For DNS-over-HTTPS that @wheeler mentioned, you can just block regular DNS looksups to sites such as https://dns.google.com and https://cloudflare-dns.com/dns-query and https://doh.cleanbrowsing.org/doh/family-filter/. Though this will quickly become untenable as more and more services come online.

You may also need a way of blocking MIME types such as application/dns-udpwireformat for other methods of DNS being developed.

BeowulfNode42
  • 2,595
  • 2
  • 18
  • 32
2

Delegate can work as Man-In-The-Middle proxy for HTTPS.

AlexD
  • 8,179
  • 2
  • 28
  • 38
  • Thank you, it does indeed, but I couldn't get it to work! It seems it needs different iptables rules than the ones for port 80, or there's some option I can't figure out for Delegate. – admirabilis Jun 17 '11 at 04:38
1

For transparent mode, Inline IPS (Suricata, Snort) system can help you to block ssl sites.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux

Block SSL Site Rules for Specific User:

drop ip any 443 -> 192.168.3.x any (content:".facebook.com"; msg:"Simplewall block facebook.com  ";sid:7;rev:1;)

drop ip any 443 -> 192.168.3.204 any (content:".youtube"; msg:"Simplewall block youtube.com" ;sid:4;rev:1;)

Block File Download Rules Based on Extensions:

drop ip any any -> 192.168.3.63 any (msg:"File exe block"; fileext:"exe"; filestore ;sid:1;rev:1;)

drop ip any ssl -> 192.168.3.63 any (msg:"File mp3 block"; fileext:"mp3"; filestore ;sid:11;rev:1;)

drop ip any ssl -> 192.168.3.63 any (msg:"File pdf block"; fileext:"pdf"; filestore ;sid:21;rev:1;)

Try this out with SimpleWall

Its very very simple to add block rule with Simplewall web interface.

You can also add rules under Simplewall => Content Filter use same rules for IPS along with http content filter.

Alexis Tyler
  • 107
  • 6
chetan-simplewall
  • 11
  • 1