Ssl – iptables https transparent proxy with privoxy

httpsiptablesport-forwardingssl

So I have a privoxy running (on port 8080) on a box acting as a router. My goal is to route all HTTP & HTTPS traffic through privoxy on there. HTTP works with the following command

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

However, it doesn't work for port 443.

To get HTTP to work, I had to set privoxy's config for "accept-intercepted-requests" to be 1. Is there a similar option to intercept HTTPS requests?

I know setting the proxy settings on Firefox works, but it would be easier if the proxy is transparent. Thanks.

Best Answer

A primary purpose of HTTPS is to prevent "man-in-the-middle", which is exactly what a transparent proxy like this is trying to do. To do so, you'd need to have a certificate valid for everything or a system to generate certificates on the fly. In either case you're going to need an internal CA (no already-trusted external one will give you a cert for anything you don't control) and to install that root as trusted in all systems behind the proxy.

Configuration of the browser proxy option will likely be a more reasonable task. It may be possible to do this through some sort of proxy auto-configuration, but I wouldn't be surprised if it's not possible for security reasons (I've never really investigated proxy autoconfig before).

Related Solutions

Transparent SSL Proxy – Myths and Facts

If you want to filter on domain names, you have two possible ways: you could take the name from the CONNECT method issued by the client if it knows that it has to use a proxy for HTTPS conenctions and filter on that one (Squids supports that BTW). Or, if you really really need to do it transparently, you would need to look into the (encrypted) request headers.

If you want to see encrypted request headers, you need to have a key. If you want to have a key, you need a certificate which is a) trusted by the client to be the "correct" certificate and b) certifies every possible host (wildcard-everything).

So what you would need to do is

set up a certificate for your proxy. It depends on your software how to do that - you might use stunnel to terminate the SSL connection at the proxy's side, have some filtering HTTP proxy behind it and re-establish SSL for all outgoing traffic using iptables DNAT targets and stunnel again. There might be "boxed" solutions for MitM SSL proxying as well.
install the aforementioned certificate on all of your clients that are going use the proxy

Mostly, if you need transparent proxying it is because you do not want or cannot reconfigure the clients to use the proxy. If this is the case with your request as well, you probably would not have the option to install certificates on clients and mark them as "trusted". So even though there is a technical way for transparent SSL proxying, I suspect not much will be won for you.

Iptables – Redirect OpenVPN gateway traffic to Privoxy

You can push proxy configuration to the OpenVPN clients.

From the OpenVPN Access Server web interface go to Advanced VPN Settings → Server Config Directives and enter the following directive with your proxy ip/port info.

push "dhcp-option PROXY_HTTP 111.222.333.44 8118"

I am not sure if all OpenVPN clients support this config. But on IOS it works well.

Best Answer

Related Solutions

Transparent SSL Proxy – Myths and Facts

Iptables – Redirect OpenVPN gateway traffic to Privoxy

Related Topic