Connections from the lan to the proxy

gw-ipfire · 7 April 2022 10:52

hi
is it possible to redirect with a firewal rule all connections from the lan to the proxy
for example ip
xxx.xxx.xxx.xxx. ports 80 or 443 to the proxy (800)
so that they are no longer found in forward
ty

pmueller · 10 April 2022 15:29

Hi,

yes, such a firewall rule is possible, but does not really make sense:

If running in “transparent mode”, the proxy will redirect all plaintext HTTP traffic already, hence such a rule would be redundant. For HTTPS, transparently intercepting connections is not possible, since this is precisely what transport encryption was built as a defense against.

Sorry to disappoint, and best regards,
Peter Müller

gw-ipfire · 11 April 2022 10:40

hi
thank you for the answer
I have tried (opnsense) (pfsense) with a local certifica it is possible to intercept the https traffic
I tried Synology srm and it intercepts all traffic through SafeAccess without setting anything on the clients
I was wondering if we could do the same with ipfire
ty

pmueller · 12 April 2022 09:40

Hi,

unfortunately, IPFire’s web proxy does not support TLS interception for security reasons (see this paper).

Thanks, and best regards,
Peter Müller

gw-ipfire · 12 April 2022 20:32

hi
thanks for the information for TLS interception ok
but for the proxy it intercepts well also the http and https traffic with setting of the navigators and os also?
Would it be possible to make the proxy intercept the traffic without configuring the browser and the os ?
ty

pmueller · 13 April 2022 20:48

Hi,

this is not entirely correct: With both HTTP and HTTPS, clients having a proxy explicitly configured ask the proxy to fetch a resource (i. e. an URL) for them. With HTTPS, the so-called CONNECT method is used, telling the proxy to establish a connection to a given FQDN or IP address, and then tunneling all (encrypted) traffic of this connection between the client and the webserver.

So, technically speaking, that is not an interception. An interception would mean the proxy is somehow able to (ideally transparently) decrypt the traffic, and peek into it.

No, since this is precisely what TLS was designed to protect you against.

Thanks, and best regards,
Peter Müller

gw-ipfire · 14 April 2022 16:16

hi

Citation
No, since this is precisely what TLS was designed to protect you against

Thanks