How to redirect and serve http requests from local user with pfsense
-
Hi,
I would like to redirect and serve unencrypted http requests from local users (myself). For example, a request for yahoo.com/some_script.js should be redirected and the script served without contacting yahoo.com at all. This should work when I am offline as well.
What I am looking for is a pointer in the right direction. I'm thinking that I need unbound or another DNS server to handle all traffic and redirect the requests that fit a regex pattern to a local webserver or proxy server. Looking at the DNS Resolver, there are Host Overrides and Domain Overrides, but I don't see how to redirect the request for a specific file.
Then I suppose I need something like nginx or squid as a forward proxy (not a reverse proxy), but one that does not contact the site requested or store the scripts (this would be OK but better if avoidable), but instead uses files already downloaded and made available to the proxy/webserver, which provides this to the person/webbrowser making the request.
That's a lot of words to describe something that in essence seems very simple: store and replace one file of a http request for another file. Any help or tips would be appreciated!
-
Any thoughts on this? Am I on the right path with unbound and squid?
-
You can probably do it with Squid, but the question is why?
Also in your example I don't think it would even be successful as Yahoo (like many) force HTTPS by default, and if you try injecting non-HTTPS content into the request the end users' web browser will almost certainly block it and tell the user that they are experiencing a man-in-the-middle attack.
The only way I could see this being successful (for HTTPS traffic) is if you man in the middle ALL of the traffic, but you'd need to have access to all of your clients devices to install your own root certificate into their trusted CA store, to avoid their browsers giving serious warnings or blocking the requests all together.
-
One of the motivations is blocking intrusive or unsafe scripts and datamining. Much of that can be blocked with conventional adblockers; where it gets difficult is when third-party scripts from advertising companies are used (e.g. jquery), which the website needs to work properly or at all.
That's an interesting point about https connections, but it's not usually an issue in the above cases, mostly because a lot of sites still don't use https, but also because when connecting to a medium-sized website with say 20 different server connections, some might be encrypted, but not all, and especially not the scripts with known content.
Anyway, back to the technical requirements: can squid handle the redirection and serve up pre-installed scripts, or would I need unbound/bind for the DNS or possibly a webserver like nginx as well?