Block all non-HTTPS traffic when browsing

0

I am trying to get approval for a firewall rule from an external Windows system into our company network to access a proxy to get back out to the Internet. My needs will involve use of a web browser, for example to provide username/password. My company requires all firewall rules have only encrypted traffic passing through them. While the transport to the proxy is itself unencrypted, the approvers have clarified that as long as the packets going through the firewall are themselves encrypted (e.g. accessing TLS-based (HTTPS) websites) it is acceptable.

My question is, how can I ensure that when browsing, only requests with HTTPS traffic are permitted?

The drastic solution is to only use curl and/or wget, parsing the HTML manually and sending requests manually based on the responses, ensuring each time that HTTPS is used. Beside the obvious amount of time this would take, it would also mean that javascript-enabled pages etc would not work as expected.

I am open to a range of solutions such as:

  1. Firefox/Chrome plugins
  2. Running a local proxy (such as CNTLM) on the external machine which only forwards to the remote proxy if the URL matches a pattern (I had a look at the CNTLM manual but I can't find it lists any command-line or configuration option to only allow certain URL patterns)
  3. Using a special browser which would provide this kind of option
  4. Is there a way to configure a proxy tunnel (bearing in mind it would have to be available on Windows) which encrypts the traffic on one side and decrypts it on the other side, then none of this would be necessary

Note that I don't need to worry about traffic sent by other applications than my web browser, as this is only applicable where I have specifically configured the proxy in that application

Kidburla

Posted 2018-05-09T12:26:13.710

Reputation: 464

Answers

1

Is there a way to configure a proxy tunnel (bearing in mind it would have to be available on Windows) which encrypts the traffic on one side and decrypts it on the other side, then none of this would be necessary

Yes – most commonly you would use a VPN for this (such as IKEv2, OpenVPN, or some proprietary product) as it encrypts all IP traffic and isn't limited to just HTTP. It is very common for people on external networks to connect back to their company's LAN using VPN software.

There are also software which tunnel individual TCP connections over TLS, such as stunnel.

I would suggest that requiring a VPN or another secure transport is the best method because it enforces the policy on the company's side and avoids accidents such as the client losing/"forgetting" its configuration.

On the other hand, VPN'ing into the company network only secures traffic between you and the proxy, but does nothing to enforce that requests forwarded out by the proxy are secure. (I don't know if your policy is about incoming connections only or outgoing ones as well.) If that is a requirement, it should be implemented on the proxy itself.

Firefox/Chrome plugins

For manual configuration, Firefox supports separate proxy server addresses for HTTP and HTTPS ("SSL"); it used to have extensions for configuring this per-site.

Many browsers support a PAC file which can have custom logic for proxy selection based on URL.

user1686

Posted 2018-05-09T12:26:13.710

Reputation: 283 655

typically VPN software requires you to configure a virtual network adapter which all your traffic passes through; unfortunately I don't have permissions to do that on the source system. The tool stunnel sounds interesting; can you provide more detail as to how to set this up with a proxy? do I need to have stunnel running on both my source system and on the internal network where the encryption tunnel will terminate? how then to forward traffic from there to the proxy? PS: thanks also for the tip about FF settings; I believe that could work although it's not as robust (as you said) – Kidburla – 2018-05-09T15:06:45.947

Basically I need a local server running on my external system which appears to clients (software) to be a plain HTTP proxy - it then takes packets it receives, encrypts them, sends them to the internal network, where another program picks them up, decrypts them, and forwards them to the "real" proxy. I can't find in the stunnel documentation how to set it up to look like a plain HTTP proxy; usually it is set up to look like an HTTPS web server... – Kidburla – 2018-05-09T15:09:48.767

stunnel doesn't "look like" anything – it is for tunnelling arbitrary TCP services, what goes in one end comes through the other. So clients just get whatever is on the other end, could be HTTP, could be SMTP, could be IRC. (Or more specifically, stunnel simply adds/removes TLS, so you need a configuration that adds TLS on the proxy side, and a configuration that removes TLS on the client side.) – user1686 – 2018-05-09T15:34:38.840

Asked: 2018-05-09T12:26:13.710

Viewed: 221 times

Active: 2018-05-09T13:07:49.290