-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/09/2017 02:43 PM, Philip Le Riche wrote: > A student at school is working on getting Alexa working on a > Raspberry Pi. I've done it on one of my Pis and it works at home, > but not at school, I think because of the school web proxy. There > seems to be a paucity of information about proxy settings for > Alexa, and it doesn't appear to respect the system proxy settings > in /etc/environment. > > The Pi network is behind a Shorewall firewall to protect the > school network. So in a flash of inspiration, I thought I could > simply DNAT the http requests hitting Shorewall as default gateway, > so automatically redirecting them to the school proxy. That works > for http, but not for https. > > After a little bit of digging to find out how a proxy functions > for https it became obvious that a simplistic DNAT couldn't work. > It seems that a browser, knowing that it's going through a browser, > first sends an unencrypted http CONNECT command before negotiating > the ssl tunnel. > > But would it be possible to somehow configure Shorewall, on receipt > of a tcp:443 connection request, to inject the CONNECT command into > the stream before starting to relay the ssl dialogue, quoting the > pre-DNAT destination ip address? How (in outline) could you achieve > that?
See http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJZPBrMAAoJEJbms/JCOk0QNcUQALgpMOsxcTSOAyBOygiOTIr2 al+mHvPwCRrGqFZiVZdkC1iVCfWC6VkIK0t6szwu09qddcbS/9Ckg7BQoF9L1kFx Js7BbF2xfkn/oIw/V13QJFEiz44OQQ+p4naqaUMwJV5Ir4ND9LgkOkQaA2z12ZYh t4xZnr+c/tdWlq6FqgpVHrNdAk+uB8EUDkm19/+DmRcB/QoHFO+K2yhE5HTfRc9D 6E/6k5SB/qWBfAtm6DcqRbDSS8WoUeZh9vEjc9+5wv6gqAqZ2r2UjdXN+WK32wF0 S0Xon35N1PvD45znv5fR5yLlshsxrzhjDyPaaGZdoHG+aWiUDZ2Ll+SQD/MTnaVF 1fOpZlwz5mi7gNlUUVQtWUSQytREFa07N0R0AvRn2SM01qW8kI669xBWPg1ifZN9 0lJFOKLicrVBp9j+ZMexbEdap/dUdglFzeC3c4UAdyFG9wWLhyJvuicyCGk/TVJx Q8ViPVgNAcTGOZtQjKKIuMQuowKSWOIQQrgMHoOJHkZUQnxlF2aFdfBqPHBxp+Oh NWlG3S/GGDLpoOXXTIP/V6MWcOXoYOKgq07K1IoeUlhljXw2Naf8xKajij8S8PwW WnIOzPVMsh8y+B/Q4CQNwuFo5KqBIcoX5rVoN6Bl6gspggsqGbgqtYzOP5R6KbE5 /74vfbS022dlKvumwuQJ =PRno -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
