+  HandyCache форум
|-+  Главная категория» English forum» Transparent Https with mikrotik
Имя пользователя:
Пароль:
Страниц: [1]   Вниз
  Отправить эту тему    Печать  
Автор Тема: Transparent Https with mikrotik  (Прочитано 8362 раз)
0 Пользователей и 1 Гость смотрят эту тему.
pdionisis
Новичок
*

Репутация: +0/-0
Offline Offline

Сообщений: 9


« : 07 марта 2017, 19:43:13 »

Hello

I want to block all outgoing http and https traffic with mikrotik firewall and redirect it to Handycache machine

Handycache is 192.168.100.27 port 8080 and I have checked the ssl handling
When I specify the handycache as proxy, it works as expected (more or less) including https
When I use mikrotik to redirect tcp port 80 to handycache (http) everything works as expected

BUT

when I use the same rule to redirect tcp port 443 (https) to handycache it seems that handycache
does not  accept it (I see no connections at the monitor) although mikrotik reports that it has
redirected the packet.

Any help?
Should I make something special at handycache to accept redirected https packets?


I use the following commands at mikrotik.
"Redirect http to proxy" :
      chain=dstnat action=dst-nat to-addresses=192.168.100.27 to-ports=8080 protocol=tcp src-address=!192.168.100.27 in-interface=i219 dst-port=80 log=no
    log-prefix=""

;;; Redirect https to proxy
      chain=dstnat action=dst-nat to-addresses=192.168.100.27 to-ports=8080 protocol=tcp src-address=!192.168.100.27 dst-port=443 log=no log-prefix=""

Сообщить модератору   Записан
zed
Постоялец
***

Репутация: +4/-0
Offline Offline

Сообщений: 141


« Ответ #1 : 07 марта 2017, 23:22:47 »

I think that there is nothing that you can do, because this is a HC issue.
 
Now, HC expects that client (browser) know, that it will work with proxy server and at first it will send CONNECT request to the proxy, to establish secure tunnel. 

To accept redirected request from clients that don't know anything about proxy, HC should listen incoming requests on some another port (443 fo example) and accept all requests directly. And, of course, listening this port make sense only if SSL handling is enabled.

Implementation of this feature is pretty simple, so you should ask mai62 to add it.

Сообщить модератору   Записан
pdionisis
Новичок
*

Репутация: +0/-0
Offline Offline

Сообщений: 9


« Ответ #2 : 08 марта 2017, 10:16:34 »

THANK YOU zed

PLEASE mai62 consider enabling this function.

It is critical not only for me but also many others who have a firewall and want to block
programs that bypass the proxy and talk directly to internet.

Some of them do not have an option to specify a proxy and some other do it on purpose.

(Looking at the connections at my firewall I see many unrecognized connections from programs
that try to connect directly to internet.For example a new LG smartTV that tries to connect to
central office of the manufacturer.....)

Thank You
Posted on: 08 March 2017, 09:37:53

Do you know If using a programm like proxifier would work?
Or proxifier works only for connections from the same pc(not for incoming connections)?

Is it possible to run proxifier together with handycache at the same machine and have the mikrotik(firewall) redirect traffic (https)
from all the network to this machine ?
The redirected https traffic to come from mikrotik to proxifier and then redirected again to handycache?
Сообщить модератору   Записан
Страниц: [1]   Вверх
  Отправить эту тему    Печать  

 
Перейти в: