Transparent proxy for HTTPS

[luce...@gmail.com]

Hi,

I installed last stable version (3.1.2) with option --enable-sslmitm. I configured every params with SSL in config. I've generated every certifikates with certtool. I have redirect in iptables 80->8080 and 443->8080. And transparent proxy doesn't work :(. In Firefox is error: Error code: ssl_error_rx_record_too_long.

But what is interesting, manual proxy is working.

Could you help me what is wrong with this transparent mode ?
Thanks.

[Philip]

Currently, https transparent mode is not supported but only explicit https proxy.

Only http transparent mode is supported at the moment.

Regards
Philip

[luce...@gmail.com]

On Wednesday, April 22, 2015 at 3:59:32 PM UTC+2, Philip wrote:
> Currently, https transparent mode is not supported but only explicit https proxy.
>
> Only http transparent mode is supported at the moment.
>
> Regards
> Philip
>

Thanks for answer. Do you know possibly if Dansguardian had this feature ?

[Philip Pearce]

No, Dansguardian does not support transparent HTTPS filtering.

In fact, the MITM code included in DG was incomplete and broken and I have had to completely change the MITM logic flow and make many changes and additions to the code in order to get MITM working.

We have transparent https filtering on the longer term wish list. The main reason for this is that it will require major changes to the main logic flow in e2g.      Adding explicit https filtering does not require this.

Currently, I am working on tidying/completing the explicit https MITM filtering code so that this feature can be part of the next stable e2g release.

Regards
Philip Pearce

 

[num...@free.fr]

Hi Philip,

If you don't have enough time now, maybe we should just release a version with SSLMITM (explicit HTTPS proxy only), because there are a lot of fixes in dev branch now

Fred

[luce...@gmail.com]

Thanks for answer. Do you know possibly when new release (with MITM HTTPS) is planning ?

[D Lu]

Hello,

I have the same problem, but I already configured firefox to use my proxy's IP and port 

[D Lu]

Additional information

I already have the latest version. I am using tinyproxy.

e2guardian 4.1.3

Built with:  '--prefix=/usr' '--enable-clamd=yes' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--enable-pcre=yes' '--enable-sslmitm=yes' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS=' 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2'

I have followed the instructions here
https://github.com/e2guardian/e2guardian/wiki/MITM---Filtering-HTTPS

these files are in /etc/e2guardian/certs
-rw-rw-rw- 1 e2guardian e2guardian 1907 Nov 17 09:51 my_rootCA.crt

-rw-rw-rw- 1 e2guardian e2guardian 1367 Nov 17 09:52 my_rootCA.der

-rw-rw-rw- 1 e2guardian e2guardian 3243 Nov 17 09:52 private_cert.pem

-rw-rw-rw- 1 e2guardian e2guardian 3243 Nov 17 09:51 private_root.pem

I also copied my_rootCA.crt on my home directory with e2guardian as owner for installation on browsers.

I also have already tried transparent proxy (using WPAD on Ubuntu) and explicit proxy.

But from e2guardian logs I still get this error,
"Nov 17 11:04:41 diana-All-Series user.info e2guardian[25163]: 2017.11.17 11:04:41 - 192.168.5.200 https://clients1.google.com:443 *DENIED* Failed to negotiate ssl connection to client CONNECT 0 0 SSL SITE 1 200 - - no_mame_group - -"

Is there any step I am missing?

[FredB]

Transparent proxy is not supported yet

In explicit mode do you have some informations in syslog ?

[Kumar M]

Is there any timeline to support transparent https filtering as this was in wishlist since long time?

[FredB]

Philip is is working on it, ICAP and Transparent should be works on next major release

[D Lu]

Hello FredB, please help me understand the logic why transparent https filtering is not working on e2guardian v4 and below. If I get it right, the only difference between transparent and explicit proxy is the addition of firewall which redirects the traffic to e2guardian port. Your information is highly appreciated as I am looking for a work around to make this work on OpenWRT.

P.S. we cannot compile e2guardian v5 on our device because we're using an old mips gcc version

[FredB]

> Hello FredB, please help me understand the logic why transparent
> https filtering is not working on e2guardian v4 and below. If I get
> it right, the only difference between transparent and explicit proxy
> is the addition of firewall which redirects the traffic to
> e2guardian port. Your information is highly appreciated as I am
> looking for a work around to make this work on OpenWRT.

It's not totally right transparent proxy works with v4, but not for HTTPS websites
In this case the situation is really different for the browser because the proxy is unknown.

There is no solution, the proxy must be able to capture and redirect the SSL traffic
An encrypted session is established between browser and remote webserver and for that it uses certificate with public and private key pairs.

So I'm sorry but you have not many choices

- Filtering only HTTP and let HTTPS (with iptable rules)
- Upgrade to v5
- Use implicit proxy mode

Fred