URL Redirecting is missing label for branding and warning on redirect

JonathanLee · Jan 5, 2022, 7:29 PM

Hello fellow Netgate community can you please help. I just ran some URL proxy website redirecting labs for testing squid and noticed that the redirected webpage is missing some kind of alert or small print label for use with transparent mode.

Something like "This website has been redirected and or adapted by "Company name":. . . contact your administrator for access"

Warning this is not meant to be political based at all. This is purely for firewall security information. Please DO NOT respond with any political based responses.

Is there a way to add a warning on the redirected webpage.

JonathanLee · Jan 5, 2022, 8:40 PM

This would help with chain of custody with URL redirects.

(Image: Similar to what I would like to add for URL redirects) with a link to company policy, company name and admin email.)

johnpoz · Jan 5, 2022, 8:48 PM

@jonathanlee said in URL Redirecting is missing label for branding and warning on redirect:

I just ran some URL proxy website redirecting labs for testing squid and noticed that the redirected webpage is missing some kind of alert or small print label for use with transparent mode.

Huh - what would that have to do with pfblocker? Did you mean to put this in the proxy section? I can move it for you.

pfblocker doesn't do "redirection" it can direct you to a site when something is blocked.

Not sure who would be accessing cnn via http anyway ;) Doesn't auto redirect you to https anyway.. When I hit http://cnn.com - It redirects you to https.. Its right there in the code..

--2022-01-05 14:46:25--  http://cnn.com/
Resolving cnn.com (cnn.com)... 151.101.129.67, 151.101.193.67, 151.101.1.67, ...
Connecting to cnn.com (cnn.com)|151.101.129.67|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.cnn.com/ [following]
--2022-01-05 14:46:25--  http://www.cnn.com/
Resolving www.cnn.com (www.cnn.com)... 151.101.185.67, 2a04:4e42:2c::323
Connecting to www.cnn.com (www.cnn.com)|151.101.185.67|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.cnn.com/ [following]
--2022-01-05 14:46:25--  https://www.cnn.com/
Connecting to www.cnn.com (www.cnn.com)|151.101.185.67|:443... connected.

So not exactly sure what your trying to do - but not sure how this has anything to do with pfblocker?

Are you trying to redirect users to a "blocked" page with pfblocker? And tell them they have been blocked?

JonathanLee · Jan 5, 2022, 9:55 PM

@johnpoz I am trying to learn about doing a transparent proxy URL redirect to a different website. I got it to work half way just testing and playing around with it, however I noticed it has no lable on the bottom that said it was redirected. My proxy is running in transparent mode. The goal of the lab was to have one URL when used be redirected to another.

Example: if I am at work and try to access Facebook as an example it just redirects back to the company's website however on the bottom after redirection has a lable like this website has been redirected by companyabc.com company electronic device use policy.

I got it to work with some some basic sites in transparent mode, with SSL certificates however it is not using https it went to 80 and the redirect is messed up it just didn't work correctly.

Goal website redirects and the new site has a small message on the bottom for a set timer that warns user about redirect.

johnpoz · Jan 5, 2022, 9:57 PM

@jonathanlee ok this has nothing to do with pfblocker then ;)

Moving to proxy section, you might get more traction there from proxy users..

however I noticed it has no lable on the bottom that said it was redirected

I don't use proxy, and for sure don't play with it much.. This day and age of https everywhere they have become pretty irrelevant. But I don't recall that ever being like an option, not saying it can't be done.. But I don't believe is any sort of click this button sort of thing..

JonathanLee · Jan 5, 2022, 10:04 PM

@johnpoz

This is the area that had URL redirection now in Squidguard

(Image: Squidguard URL redirection)

JonathanLee · Jan 5, 2022, 10:05 PM

@johnpoz It is no click point option you need SSL certificates loaded on all devices it will work with 443 with trusted certificates.

johnpoz · Jan 5, 2022, 10:11 PM

@jonathanlee that redirect doesn't add any sort of overlay that says its been redirected or anything.

you need SSL certificates loaded on all devices it will work with 443 with trusted certificates.

Which is a whole can of worms that shouldn't be opened - your breaking the chain of trust, etc.

But you have fun ;)

JonathanLee · Jan 5, 2022, 10:41 PM

@johnpoz this is all equipment my devices my router and firewall. A business or such it would be their issue. SSL certificates for users on a network is standard practice. HTTPS url filtering works great see below I can block and add notes for HTTPS or http.

(Image: url blocking working)

If this overlay worked why does it not add one for redirected urls?

JonathanLee · Jan 6, 2022, 4:15 AM

@jonathanlee keep in mind all urls used are testing urls for learning.

johnpoz · Jan 6, 2022, 4:15 AM

@jonathanlee that is the normal block page, and it loads because its not https..

Have fun trying to do with https.. You would have to create a cert for www.cnn.com on the fly, and your browser would have to trust the CA that created it, etc.

JonathanLee · Jan 6, 2022, 4:21 AM

@johnpoz I wish we could do a overlay for a redirect. I have to admit redirection and learning about this today was amazing.

netblues · Jan 6, 2022, 5:17 AM

@jonathanlee You can block https but you cannot redirect it.
And adding local trusted ca's on all devices and creating "fake" site certificates on the fly isnt easy.
And why you need an overlay? A simple landing page is enough (if you have managed to do the redirection)

JonathanLee · Jan 6, 2022, 5:35 AM

@netblues thanks for the reply. Do you think they will ever have a browser plugin to act like Burp suite so we could make redirection work correctly? Http works for the messages however https does not. The cookie interaction and SSL issues with the redirection cause most of the issues. With a proxy like Brupe suite you can have the Forward pause and adapt it on the fly with pen testing even regenerate cookies. But for a valid redirect there has to be a way to just auto generate a cancel and a new url reload with the new url. What http header sends the stop? We just need to cancel and refresh with the new URL right? But how can you hit the refresh without a plugin?

JonathanLee · Jan 6, 2022, 5:52 AM

@jonathanlee

HTTP request methods - http: MDN. HTTP | MDN. (n.d.). Retrieved January 6, 2022, from https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods

One has to work, I will just have to play with some code next semester if I learn more and test for a while and make it very secure. Goal is to stop the unwanted non approved URL cancel the browser request and after have a new request generated for a new URL and send the new url down. But it would require a approved plugin like Kaspersky uses. You have to control the browser someway. All it is a redirected url with a overlay. Kaspersky antivirus uses browser extensions even Chrome approved ones that install SSL certificates on the fly for use with the software based IDS and antivirus software. I would feel more comfortable with such extensions installed on the firewall.

General articles: Answers to frequently asked questions. How to enable the Kaspersky Protection extension in Google Chrome, Mozilla Firefox and Microsoft Edge based on Chromium. (n.d.). Retrieved January 6, 2022, from https://support.kaspersky.com/common/start/12782

netblues · Jan 6, 2022, 7:39 AM

@jonathanlee Creating and maintaining a plugin that works on many browsers and devices isn't something easy.
It does require a team of devs and testers and a way to finance it.
Kaspersky is a multimilion dollar security software company with many subject matter experts.
If it was easier they wouldn't have opted for a plugin, to begin with.

JonathanLee · Jan 6, 2022, 4:18 PM

@netblues
One can say . .
A community is always be stronger than abuses brought by the few.

I got the http redirect to work however for the blocked https I am still working on that I want it to go to the official blocked page like this. see image below

This only works when I go to http://zoo.com
if I try https://zoo.com this occurs

I am missing a setting or something. I just get a error page

JonathanLee · Jan 6, 2022, 4:20 PM

@netblues Even with the landing pad it gives an error for me currently only http works.

johnpoz · Jan 6, 2022, 4:38 PM

@jonathanlee I would suggest you go through the hangout by jimp

Youtube Video

While its a bit dated now with 2.5 and 2.6 around the corner.. I am not aware of any sort of major changes.. And for sure this hangout goes over the different options of doing https proxy.