Welcome, Guest. Please login or register.
Did you miss your activation email?
Wednesday 27 November 2024, 09:50:42 pm

Login with username, password and session length

Visit the Official Endian Bug tracker  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  Endian 3.x How to bypass transparent proxy for https
0 Members and 3 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Endian 3.x How to bypass transparent proxy for https  (Read 64758 times)
mr626
Jr. Member
*
Offline Offline

Posts: 2


« on: Thursday 20 February 2014, 11:34:34 am »

Hello all,

To start with, some information about what I am using:

-Endian Community Firewall 3.0 (latest version at time of writing)
-Running on a computer with a single network interface

-Endian is configured as follows for networking:
--RED zone is set to 'gateway' and is given the proper gateway IP address for the network that it is on (192.168.2.253) as well as valid DNS server IP addresses
--GREEN zone is set to 192.168.2.248
--Client computer (been used for testing) is given a valid static IP address and subnet mask, and has it's gateway IP address set to 192.168.2.248 (the GREEN zone IP address of the Endian box)

-Proxy is configured as follows:
--Proxy is turned on, set to transparent mode
--Standard port settings
--Access policy has been created for 'unfiltered access' (for testing purposes)
--HTTPS proxy is turned On

With this configuration, everything works from the client computer. HOWEVER whenever I browse to a website that uses HTTPS I get a certificate warning in the browser (due to the HTTPS proxy being on and using a certificate created by Endian).

I really don't want to have users to see all these certificate warnings- if nothing else it trains them to ignore what is potentially a real security issue.

On the other hand, if I turn off the HTTPS proxy in Endian, and leave the HTTP proxy in transparent mode, no HTTPS page will load.

BUT, if I change the proxy in Endian to non-transparent (while still leaving HTTPS proxy off) and then point the browser on the client computer to the proxy IP/port (in my case 192.168.2.248:8080) EVERYTHING work- HTTP pages work and are filtered, HTTPS pages work and are not filtered.

My question is this- how can I achieve a transparent proxy on Endian, while allowing HTTPS pages to bypass the filter (as they appear to do when you run the Endian proxy in non transparent mode)?

Thanks


Logged
mr626
Jr. Member
*
Offline Offline

Posts: 2


« Reply #1 on: Thursday 20 February 2014, 12:47:50 pm »

Ah, I guess it shows that this is my first time playing with a transparent proxy- of course HTTPS traffic can't work with a transparent proxy!

I think that maybe a .pac file might be the way forward for what I want to achieve.

I do wonder though, with more and more webpages running over HTTPS now, what is the point of a transparent proxy?
Logged
kieronrob
Full Member
***
Offline Offline

Gender: Male
Posts: 57


« Reply #2 on: Friday 21 February 2014, 12:12:11 am »

Hi

HTTPS proxy will work in transparent mode but each client machine will need to have the certificate of the EFW in their trusted store in order to avoid the security warning.

Remember, transparent or not the proxy breaks the HTTPS standard by intercepting the traffic and acting as a "man in the middle" using its certificate to re-encrypt the outgoing traffic.

If you have a signed cretificate from an SSL provider you can load it on the EFW and all your clients or use one created on the firewall.

Read up on the squid HTTPS proxy on the web and you will understand the limitations of this solution.

This is not something unique to EFW - any product that uses HTTPS proxies faces the same issue.
Logged
ECB
Jr. Member
*
Offline Offline

Posts: 3


« Reply #3 on: Thursday 27 March 2014, 10:11:21 pm »

Hello all,

To start with, some information about what I am using:

-Endian Community Firewall 3.0 (latest version at time of writing)
-Running on a computer with a single network interface

-Endian is configured as follows for networking:
--RED zone is set to 'gateway' and is given the proper gateway IP address for the network that it is on (192.168.2.253) as well as valid DNS server IP addresses
--GREEN zone is set to 192.168.2.248
--Client computer (been used for testing) is given a valid static IP address and subnet mask, and has it's gateway IP address set to 192.168.2.248 (the GREEN zone IP address of the Endian box)

-Proxy is configured as follows:
--Proxy is turned on, set to transparent mode
--Standard port settings
--Access policy has been created for 'unfiltered access' (for testing purposes)
--HTTPS proxy is turned On

With this configuration, everything works from the client computer. HOWEVER whenever I browse to a website that uses HTTPS I get a certificate warning in the browser (due to the HTTPS proxy being on and using a certificate created by Endian).

I really don't want to have users to see all these certificate warnings- if nothing else it trains them to ignore what is potentially a real security issue.

On the other hand, if I turn off the HTTPS proxy in Endian, and leave the HTTP proxy in transparent mode, no HTTPS page will load.

BUT, if I change the proxy in Endian to non-transparent (while still leaving HTTPS proxy off) and then point the browser on the client computer to the proxy IP/port (in my case 192.168.2.248:8080) EVERYTHING work- HTTP pages work and are filtered, HTTPS pages work and are not filtered.

My question is this- how can I achieve a transparent proxy on Endian, while allowing HTTPS pages to bypass the filter (as they appear to do when you run the Endian proxy in non transparent mode)?

Thanks




I had this EXACT same issue yesterday and understand what you're trying to do. For those who recommend loading the SSL cert - he doesnt want to enable HTTPS proxy. With HTTPS proxy disabled by default endian should be routing the traffic to port 443 through red without any interception

After tinkering and whacking my install yesterday I formatted/reloaded and re-enabled Proxy,transparent in sequence and HTTPS is passing as expected now without being intercepted Smiley
Logged
nicolethomson
Full Member
***
Offline Offline

Posts: 27


« Reply #4 on: Tuesday 11 November 2014, 12:11:39 pm »

"formatted/reloaded and re-enabled Proxy,transparent in sequence and HTTPS is passing as expected now without being intercepted"

So there is noway to avoid this scenario?

even now i am having the issue, but certain sites (esp in amazon cloud) doesnt even getting resolved.
Logged
phqr58
Full Member
***
Offline Offline

Gender: Male
Posts: 31


« Reply #5 on: Wednesday 11 February 2015, 03:54:56 pm »

In this page it is possible to configure the proxy server for the scan of SSL-encrypted traffic, i.e., traffic through the 443 port. When enabled, squid will intercept all clients’ requests and forward them to the remote server, like in the case of HTTP requests. The only difference is that for HTTPS requests, an ‘intermediate’ certificate is needed for the client to connect via HTTPS to the Endian UTM Appliance, which then can deliver the request, retrieve the remote resource, control it, and then send it to the client who requested it.

There are three available settings in this page, divided in two parts: The first one allows the set up the HTTPS proxy, whereas the second one is used to manage the Endian UTM Appliance‘s certificate.

Enable HTTPS Proxy
Tick this checkbox to activate the HTTPS proxy. The next option will appear.
Accept every certificate
This option allows the Endian UTM Appliance to automatically accept all the certificates from the remote server, even those that are not valid or outdated.
Entries in the HTTPS proxy white-list.

When the entry is an IP address, HTTPS traffic directed to that IP will not pass from the HTTPS proxy. When the entry is a domain name, like e.g., www.example.org only that site will be bypassed. However, when using a dot . at the beginning of a domain name, all the traffic to that domain and all its subdomains will be allowed.

Examples:

93.184.216.119   allow only site https://93.184.216.119/
www.example.org  allow only site https://www.example.org/
.example.org     allow all sites ending with .example.org, like e.g.,
                 https://www.example.org/index.html
                 https://mail.example.org/mail.html
                 https://www.news.example.org/news.html
                 and so on.
Bypass HTTPS proxy for destinations
Write in the textfield the IP address or domain name of the remote web sites that should be skipped by the HTTPS proxy, one per line.
To activate the HTTPS proxy, click on Save and wait a few seconds.

The lower part can be used to either upload a certificate that will be used by the Endian UTM Appliance or to generate a new one, that will replace the one already present, if any.

Upload proxy certificate
To use an existent certificate, click on Browse..., choose the certificate on the local hard disk, then click on Upload to copy the certificate to the Endian UTM Appliance.
Create a new certificate
To create a new certificate from scratch, click on this button. A confirmation dialog box appears, requiring a confirmation. Clock on OK to proceed or on Cancel to close the dialog box and go back.
After the certificate has been uploaded or created, a new option in the form of a hyperlink will appear next to the Upload proxy certificate label:

Download
Click this hyperlink to download the certificate, which will be needed by the the clients.
Logged
dda
Sr. Member
****
Offline Offline

Posts: 227


« Reply #6 on: Friday 24 June 2016, 01:22:38 am »

I am having a problem where Certificate Manager no longer accepts the downloaded Endian certificate as a Trusted Root Authority, is any else having this problem?
Logged
dda
Sr. Member
****
Offline Offline

Posts: 227


« Reply #7 on: Friday 24 June 2016, 06:10:05 am »

Ok solved it...you have to expand trusted root authorities and put select local computer instead on some versions of windows.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.172 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com