0

I have a ubuntu 22.04 server, a list of ip addresses of users on my local network and I want to redirect http/https traffic from this list to a local informative html page. Similar to how a hotspot would. I have tried with apache2, squid, wpad (252 dhcp), iptables, but I have not been able to. https does not redirect.

how do i do it?

acgbox
  • 376
  • 1
  • 5
  • 21
  • 1
    You have a long string of questions about blocking web content some way or other. This makes me wonder what your end goal is? Maybe it's better to ask for a solution to the *problem* you're attempting to solve, rather than a string of questions focusing on the bits and pieces that *you* think will give you a solution? – vidarlo Nov 30 '22 at 13:59
  • If there is any part of the question that I don't understand, I am happy to explain. – acgbox Dec 01 '22 at 21:29
  • 1
    Well, as I allude to: what is your end goal? What is your environment? What is your constraints? You've previously ruled out SSL Bump in squid, so how do you expect to be able to MITM content? – vidarlo Dec 01 '22 at 21:35
  • what is your end goal?: this is described in the question (Show the end user a static html informative page when the https block occurs). What is your environment? this is described in the question (ubuntu 22.04). Regarding squid-ssl-bump, it is not an alternative to use. I would appreciate it if you ask things that are not described in the question. Thanks in advance – acgbox Dec 01 '22 at 22:58
  • 1
    Well, if ssl bump is not an alternative, what you ask is not possible.However, your end goal is probably to block web content for some reason - informing us of the bigger picture may lead to better solutions. As I wrote you have a string of questions relating to blocking web content, asking for the overall solution may give you solutions you don't know about. – vidarlo Dec 02 '22 at 06:23
  • @acgbox: this is clearly an [XY problem](https://xyproblem.info/). You are constantly asking us about how to solve those Y problems. This "show the end user static page" is an Y problem too. So well, what is your X problem? – Nikita Kipriyanov Dec 13 '22 at 10:19
  • @NikitaKipriyanov My X problem is that I can't redirect the https requests (TCP 443) from the users to the static html page. Neither with apache, nor with iptables. I don't mention squid because the answer is ssl-bump and it is not a valid option for me. With http requests (TCP 80) I have no problems.That's why I mention the hotspot, because according to what I've investigated it would be the only way out. Here is another option to do it with wpad (dhcp 252), but I tried it and it didn't work for me. maybe i did something wrong https://stackoverflow.com/a/37757337/8747573 – acgbox Dec 13 '22 at 14:12
  • Easy answer: You *want* a captive portal (for a given ACL, for example), but with SSL ("let the portal answer, wven request originates in SSL"). This is just not possible without breaking (=issuing "own" certificates for given names, trustworthy because of ICA certificate rollout) SSL, like *some* enterprise captive portals do. And even then it's tough across all browsers. – bjoster Dec 13 '22 at 17:03
  • @acgbox Well, the answer is you *can't* - by design. Hotspots are not magic, but operating systems tend to probe a http URL to detect captive portals. [Here's the documentation for how Firefox](https://support.mozilla.org/en-US/kb/captive-portal) solves this. But as mentioned by bjoster, it's a tough task, and you may be better served by actually employing a pre-made captive portal solution – vidarlo Dec 13 '22 at 17:41
  • And the wpad (252 dhcp) implementation? https://stackoverflow.com/a/37757337/8747573 – acgbox Dec 13 '22 at 19:27
  • It won't help you. The browser will use your proxy. When your proxy responds with anything but 200 on a CONNECT request, the browser will show the browsers builtin error page. – vidarlo Dec 13 '22 at 21:21

2 Answers2

2

iptables can't redirect ip:443 to another ip:port (where I have apache2 virtualhost published with the info block page)

You could redirect the TCP/IP stream, but the browser will show a security warning, as you'll be unable to present a valid certificate.

squid-cache only shows information in the browser when it is an http page with "error page" (Custom error pages not displayed for HTTPS) (for more information check here)

As you note, browsers don't show error page for TLS; upon receiving anything but a 200 code, they show their own error message.

Almost all traffic today is TLS encrypted, and you can't view it or modify it. That is: You cannot claim you're example.com, nor can you redirect example.com to anything else.

Unless you have total control over the clients, and can install a new root certificate, you can't claim to be example.com.

PS: In case there is some method to block and display a blocking page that allows https traffic (tcp 443) to go to this page, I would appreciate a detailed explanation with specific examples..

There is no such method that works with modern browsers, and that is not a mistake; it's a design feature of tls. It's supposed to stop man in the middle attacks - which is essentially what you're attempting to do.

So no, there is no method to achieve what you attempt to achieve. If there was, it'd be a major security problem.

vidarlo
  • 6,654
  • 2
  • 18
  • 31
  • That is exactly what I am stating with my question. – acgbox Nov 28 '22 at 21:57
  • It's also the answer to your question, even if you don't like the answer. – vidarlo Nov 28 '22 at 22:07
  • Well, actually, you're wrong. Yes there are methods (I mentioned it in the question), but I can't apply them in my environment – acgbox Nov 28 '22 at 22:12
  • Which methods? Is there *any* modern browser that allows downgrade or unsecured redirects? If so that's certainly a bug. – vidarlo Nov 28 '22 at 22:17
  • Update question. Negative vote retired – acgbox Dec 09 '22 at 18:08
  • First of all, completely changing the question after getting answers is generally a bad thing, as it makes the answers look strange. Second, the answer is still *not possible*, **by design**. HTTPS is *designed* not to allow anyone to replace content. – vidarlo Dec 09 '22 at 18:41
1

You can’t both block users and serve them content.

If I wanted people to know they’d been blocked I would probably set up an access control list in my reverse proxy/load balancer and direct clients with banned IP addresses to a static page hosted either internally or with a content delivery network.

Mikael H
  • 5,031
  • 2
  • 9
  • 18