Webproxy walled garden or something

gargola · Sat Mar 15, 2014 11:12 pm

Hello colleagues:
This is my situation, I'm redirecting users to the webproxy to show alerts about payment.

/ip firewall nat add action=redirect chain=dstnat comment="Payment" dst-port=80 in-interface=ether5-LAN1 protocol=tcp src-address-list=alert to-ports=999

/ip proxy set enabled=yes port=999 ip proxy access
add action=deny redirect-to=10.0.3.2:89

So, when I add a client to the addresslist He sees the alert and everything is OK. But now, I want to show them a video uploaded to youtube. But as I am redirecting all the traffic, He can't get the youtube video.
Is there something like walled garden for hotspot, in webproxy?
Regards!

rextended · Sat Mar 15, 2014 11:57 pm

gargola · Mon Mar 17, 2014 7:50 am

Thank You, works perfect

Could You know why my rule isn't working with https? I add to the rule the port 443, but, if some IP in the address list tries to navigate still can see https pages.

ros code

/ip firewall nat add action=redirect chain=dstnat comment="Payment" dst-port=80,443 in-interface=ether5-LAN1 protocol=tcp src-address-list=alert to-ports=999

rextended · Mon Mar 17, 2014 10:10 am

You can not redirect https traffic on http traffic,
you must create two proxy and two mangle on rb, also two service on web server.

Also not all websites use 80 or 443 for http or https

gargola · Mon Mar 17, 2014 9:38 pm

So if I'm not wrong.
HTTP -> One NAT rule, One webproxy, One web server.
HTTPS -> One NAT rule, One webproxy, One web server with HTTPS certificate?

rextended · Mon Mar 17, 2014 9:43 pm

So if I'm not wrong.
HTTP -> One NAT rule, One webproxy, One web server.
HTTPS -> One NAT rule, One webproxy, One web server with HTTPS certificate?

HTTP -> One NAT rule, One webproxy, One web server.
HTTPS -> One NAT rule, SAME webproxy, CAN BE SAME web server with OTHER port with HTTPS certificate?

I have the same problem with https://www.google.com new webpage,
for display HotSpot https webpages (for login & advertise) I haved to buy a certificate [from EssentialSSN] verified by one general root authority.
If I not do that the user can not see login pages (are forced to digit hotspot address or DNS name)

gargola · Tue Mar 18, 2014 1:54 am

So, with my HTTPS web server, I'll be able to redirect the HTTPS requests to the proxy and show the alert?
I'm already working on a laboratory, lets see what happens.

I can't get it work

ros code

/ip firewall nat
add action=redirect chain=dstnat comment=\
    "Payment" dst-port=80 protocol=tcp \
    src-address-list=aviso to-ports=999
add action=redirect chain=dstnat dst-port=443 protocol=tcp src-address-list=\
    aviso to-ports=999

/ip proxy access
add dst-host=*.youtube.com path=/embed/JP4XikcBfdg
add action=deny dst-port=443 redirect-to=192.168.100.31
add action=deny dst-port=80 redirect-to=10.0.3.2:89

In my second web server I redirect all http to https, and the https is working. I realized that when add the dst-nat for 443 port, even that youtube is first in access, the http can't see the video. If I disable the 443 dst-nat, it work good, and the http request can see the video.
Requesting a HTTP page, the redirection works perfect.
Requesting a HTTPS page, the page stay loading and doesn't work.