On Sat, Jun 10, 2017 at 09:05:49PM +0100, Philip Le Riche wrote: > Thank you Tom. I'd seen that there were various guides around for using > Squid as an intercepting proxy, but I don't want to crack open the ssl, > and anyway, since I can't find how to make Alexa use a proxy, I'm not > sure it'd be any easier to find its certificate store in order to inject > a squid certificate. > > All I want to do is get Shorewall (or something running on the Shorewall > server) to field 443 connections and insert an http CONNECT verb before > relaying all subsequent traffic to the school proxy. If Shorewall > doesn't itself offer such a function I presume I could use it to DNAT > https to localhost and set up a Perl script to listen on localhost:443 > then open an onward connection to the school proxy, inserting the > CONNECT verb before the outgoing traffic. Unless I've totally > misunderstood how an https proxy works.
I don't think this can be done. If the client expects to make an https connection directly to the server, it tries to connect to the IP of the server. If you intercept it with the firewall to redirect it to something, you need to then somehow track where the original destination was, so that you can issue the CONNECT to that target when you receive the intercepted connection. I suppose a program that listens to tcp connections that you could forward to, and checks the connection tracking information might actually be able to do it, but I have never seen such a program, so you would probably have to write one yourself. > Simply injecting the CONNECT verb before starting the ssl negotiation > must be pretty much what a browser on the school network does since the > school proxy doesn't require the installation of a certificate and > doesn't intercept ssl traffic. Well you might be able to run squid in transparent proxy mode, have shorewall forward all outbound http/https connections to squid, and then configure squid to forward connections to the other proxy. Works great for http, but for https you do need certificate stuff on the client and squid to make things work. https really only works OK with proxies when the client is explicitly configured to use one. -- Len Sorensen ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
