CP only redirects HTTP traffic, not HTTPS traffic to the login page.
-
You activated "https" authentication (with valid certificates etc) ?
Keep in mind that intercepting a https (= SSL) request from a browser by the portal page will confront the visitor with nasty warnings.
Because the browser thinks its connected to a https certified site (i.e. https://www.google.com) but a certificate from your portal will be handed over.The subject is known, and nothing can be done against that, because its close to a man-in-de-mindle-attack.
Have a look in this part of the forum, this subject has been discussed rather often.
How about buying a certificate from a known CA, then activate SSL Bump from Squid … wouldn't that trigger the alert in the clients browsers ?
-
How about buying a certificate from a known CA, then activate SSL Bump from Squid … wouldn't that trigger the alert in the clients browsers ?
Do this first:
@Gertjan:Have a look in this part of the forum, this subject has been discussed rather often.
then, if you think you have the power to drop in a the middle of an SSL party without being detected (NSA might be able to pull this one of - other people, NO WAY) :D
-
How about buying a certificate from a known CA, then activate SSL Bump from Squid … wouldn't that trigger the alert in the clients browsers ?
Do this first:
@Gertjan:Have a look in this part of the forum, this subject has been discussed rather often.
then, if you think you have the power to drop in a the middle of an SSL party without being detected (NSA might be able to pull this one of - other people, NO WAY) :D
Huh, do what first ? ???
I looked all over the forum didn't find anything related to SSL bump and buying certificate from trusted CA, all I found was about creating root certificate and such …
-
There is nothing you can do to redirect https requests to the captive portal without generating certificate warnings unless you control all the client devices and install the right trusted root certificate first, MITM the connection, and generate certificates on-the-fly for whatever site the user attempted to visit when they were forwarded to the CP. Generally nasty behavior.
Two choices:
-
Do not forward https requests.
-
Forward https to captive portal and trigger certificate warnings.
-
-
…..
Huh, do what first ? ???
I looked all over the forum didn't find anything related to SSL bump and buying certificate from trusted CA, all I found was about creating root certificate and such ...On the top of THIS page you will have your search button.
Hit it.
Type "man in the middle" (== MITM) in the search field (with the " ").
Restrict your search in this forum only.
Result:
https://forum.pfsense.org/index.php?topic=87091.msg478494#msg478494
https://forum.pfsense.org/index.php?topic=82207.msg452903#msg452903
https://forum.pfsense.org/index.php?topic=80844.msg444100#msg444100
https://forum.pfsense.org/index.php?topic=81276.msg443978#msg443978
etc etc etc etc
Read and draw your conclusion ;)Buying a valid real world certificate isn't needed. Get one or more for free from https://startssl.com - I use several of their certificates for years now.
-
+1 on StartSSL.
If you are worried about keeping the login page secure you CAN forward your users to an HTTPS login page after they attempt to connect http to port 80 and get redirected to the portal.
This will generate a certificate error unless you have a certificate on the portal signed by a trusted root and forward your users to a URL with a hostname contained in that certificate (CN or SAN).
In 2.2 you can do this and turn off forwarding of https attempts to the portal. This is the only way to ensure a certificate error is never presented to your users.
-
….. This is the only way to ensure a certificate error is never presented to your users.
And it work well - I've been using this for years now like that.
Portal authentication by https.Btw: startssl.com is free, but you need to have a 'spare' existing domain name on the Internet (a couple of $ a year).
Now, set this domain name "domaine-name.tld" on System: General Setup => Domain.
The portal interface is called "portal.domaine-name.tld" (my certificate is valid for "domaine-name.tld" and the sub domain "portal.domaine-name.tld" - this is hard coded in the certificate).
Import the certificate and chain and Certificate Authority.
Assign them to the portal interface.
And off he goes ;) -
Ok got you for the login HTTPS part !
But my main question is not about securing the login page, but about Squid MITM … like Facebook, Youtube ... my goal is to intercept those sites in order to cache it without bumping the alert !
My network is fairly large (+300), so install the root certificate in every single browser isn't an option !The good part is I do have an Internet domain !
Can't I activate MITM and provide the StartSSL certificate instead of the original each time a client requests https site ? -
No. If you could do it, anyone anywhere could do it for any https site. Think about it.
-
but about Squid MITM … like Facebook, Youtube ... my goal is to intercept those sites in order to cache it without bumping the alert !
My network is fairly large (+300), so install the root certificate in every single browser isn't an option !Intercepting SSL connections …..
This is why Snowden is hidding in Moscou. This explains half of all the Wiki Leaks pages. This is what the Patriot Act is all about.
The they you manage to do so with an ordinary pfSense box you will be hired by Cisco, if you didn't had that visit from a ;ocal NSA guy just before that :)
Let's say it more clearly: forget about it.By design: a browser that want to connect to facebook.com - and gets a certificate from the web server it connected to (your portal web server) that says: "Hi, I'm "portal.local.me'" WILL complain. generating a certificate (on the fly) that your browser will check against an CA Authority that will let the browser thing it is connected to facebook.com, or it isn't will break the entire SSL concept.
At that very moment, you will have broken the entire Internet as a whole.
Pull that one of and be ready to do prime-time on CCN every day for the next couple of months.The good part is I do have an Internet domain !
Can't I activate MITM and provide the StartSSL certificate instead of the original each time a client requests https site ?As soon as you get a multi domain certificate that is good for . [ this . will explode the net :) ] the, well, yes: you did it !!!!!!
(Shit, now I thing about it, I guess the browser involved will not trust a . …..) -
Whooa, I don't want to break any laws here nor I want to violate the privacy of others, my intention was just to use HTTPS caching feature of Squid 3.4 !
Its really shame to let go this amazing oppurtunity, the Squid caching mechanism for the simple HTTP is doing wonders in our LAN, and I was really impatient doing the same for HTTPS as more and more sites goind pure SSL !
Is there any other method of doing this "legimately", like deploying the root certificate automatically by the pfsense box or something like that !?
-
You really want content from people's HTTPS-protected sessions with their bank sitting in your cache?
The easiest way to deploy certificates is probably Active Directory. No idea how to do that and get it installed in Firefox's store. Then there's certificate pinning that will blow things up too.
-
…. the Squid caching mechanism for the simple HTTP is doing wonders in our LAN, and I was really impatient doing the same for HTTPS as more and more sites goind pure SSL !
Negatif.
SSL connections are (normally) setup to guarantee "what the servers ouput, is what is being received by the 'client'".
A server that throws out SSL connections will indicate in the http headers that "this file should NOT be cached" because the 'client wants to see "really real time info" - even if this means that things come over slower. SSL means "You to me and no-one between us". Otherwise, a basic TCP connection will do.
A classic (non coded TCP) connection can be 'read' by a caching system, can be intercepted, cached (and translated, mangled, rerouted, whatever).
Think about this: your browser will NOT cache any information in receives when info came in by SSL.
A "cache" like squid will not 'cache' anything because it can't see what coming in (SSL, like VPN == just a random bitstream) - SSL is all about that. The cache can only 'just forward' because no caching is possible. A cache will actually just delay instead of accelerate SSL connections.Caching SSL will be something like asking for a private 1 to 1 communication with a translator between the two of you. Fine, but you agree that the word 'private' should be redefined ;)
