Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

can I redirect https to my router?

Mon Jul 17, 2017 4:25 pm

I'm using openDNS to block adult content in my office
is there any way I can redirect the opendns page I'm getting to my proxy error page?
the page is :
https://blcok.opendns.com/

?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26924
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: can I redirect https to my router?

Mon Jul 17, 2017 4:58 pm

Why? Can't you just enter a custom message in OpenDNS settings?
https://support.opendns.com/hc/en-us/ar ... Setup-FAQ-
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: can I redirect https to my router?

Mon Jul 17, 2017 5:16 pm

I like mikrotik error page better :-)

I'm using their free DNS service.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: can I redirect https to my router?

Mon Jul 17, 2017 5:50 pm

https pages cannot be redirected by a router. a proxy could do it but only for an entire domain, not a detail page like an error page.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: can I redirect https to my router?

Tue Jul 18, 2017 12:58 am

Given that more and more of the Internet is switching to using SSL by default, the ability to hijack www traffic is going to dwindle.

Of course you can still redirect it to your router, but it's going to give SSL warnings to the user, and if you can get around that, then you can man-in-the-middle their web banking transactions just as easily - so no wonder that this cannot be done w/o administrative access to the clients.
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: can I redirect https to my router?

Tue Jul 18, 2017 2:36 am

Mikrotik won't be the right choice for web content filtering.

Other devices (Sonicwall? Fortigate?) have features where you can upload your own CA certificate, and install that CA cert on the internal computers. Now the router can generate certs on the fly and those certs will be trusted by the internal computers. Only now can you have the option to redirect HTTPS pages without internal computers displaying certificate errors. If a visitor comes onsite, he'll see the cert errors since he doesn't have the CA installed.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26924
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: can I redirect https to my router?

Tue Jul 18, 2017 9:41 am

Mikrotik won't be the right choice for web content filtering.

Other devices (Sonicwall? Fortigate?) have features where you can upload your own CA certificate, and install that CA cert on the internal computers. Now the router can generate certs on the fly and those certs will be trusted by the internal computers. Only now can you have the option to redirect HTTPS pages without internal computers displaying certificate errors. If a visitor comes onsite, he'll see the cert errors since he doesn't have the CA installed.
RouterOS also has the ability, but you still have to force the users to accept the certificate mismatch. This is the wrong way to go about this in the OPs situation. If you use a free service and don't like their error page, maybe don't use this service, or start paying, so you can replace the error message in an official way.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: can I redirect https to my router?

Tue Jul 18, 2017 8:12 pm

Now the router can generate certs on the fly and those certs will be trusted by the internal computers. Only now can you have the option to redirect HTTPS pages without internal computers displaying certificate errors.
This is why you should NEVER install a trusted CA certificate unless you actually trust that CA and know that their root cert is secure. Any time a CA cert is comprimised, the ENTIRE INTERNET is comprimised for any computer trusting that certificate. Because now, hackers could use that cert to sign ANYTHING they want - including mybank.example.com, www.google.com, etc. And your computer would consider it LEGITIMATE.

Van's suggestion is standard practice for many enterprise environments. It works because Active Directory can remove any certs that get comprimised, and push new ones out to replace them.

I would never, ever accept a third-party root CA from anyone telling me that I had to install it on my computer in order to use their network, and unfortunately, if you're not running a domain, then this would be the only way to be able to intercept HTTPS sessions without triggering alarms.
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: can I redirect https to my router?

Tue Jul 18, 2017 11:49 pm

I would never, ever accept a third-party root CA from anyone telling me that I had to install it on my computer in order to use their network
Neither would I, and as the I.T. of a company I wouldn't ask guests or contractors to do so. But they would be expected to use the guest wifi where there would be no content filter because what they do on their on computers isn't my concern.

For OpenDNS, even if you paid for it, I can't see how HTTPs would redirect without certificate errors unless you used OpenDNS's self-signed CA. Or if you created your own self-signed CA, but then you'd have to upload your cert and private key to OpenDNS. Both methods bear the exact same security concerns.

I wouldn't use OpenDNS, or any website that expected that much trust from me. Atleast with the sonicwall it's a device you buy, and use on-premise. I'd feel ok with uploading my self-signed CA and Private Key on that. And again my CA only gets installed on company owned computers as their security falls under my responsibilities. As for Adult Content, Sonicwall even has a cool feature where you can enforce all Google searches to use the 'Strict' filter. Without this feature, Google Images is a source for adult content.

So maybe I'll change my answer for the OP. Either research and invest in a proper content filter solution, or live with the limitations of the free version of OpenDNS. Also, everyone knows they shouldn't be viewing adult content on office computers - so does it really matter if they see a customized "forbidden" web page vs a "DNS can't be resolved" web page?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26924
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: can I redirect https to my router?

Wed Jul 19, 2017 11:06 am

Actually OpenDNS has a built-in capability to display a custom error message, even your own logo. So I still don't understand the original request.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: can I redirect https to my router?

Thu Jul 20, 2017 9:36 am

Im only using their DNS server for blocking
I donlt have an account
this is why I ask what I ask :-)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26924
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: can I redirect https to my router?

Thu Jul 20, 2017 9:44 am

The account is free. Has all kinds of settings.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: can I redirect https to my router?

Thu Jul 20, 2017 2:43 pm

Well, it depends a bit... it is possible to create a free account and indeed it has lots of configurability but its usage is restricted.
To use it for business purposes it is formally required to ask them for a quote for a paid account. And it is very expensive (I tried).
However, nothing will happen when you use a free account for business, with limited traffic. Put the MikroTik DNS in front of it as a cache.
 
reinerotto
Long time Member
Long time Member
Posts: 523
Joined: Thu Dec 04, 2008 2:35 am

Re: can I redirect https to my router?

Thu Jul 20, 2017 10:25 pm

To use it for business purposes it is formally required to ask them for a quote for a paid account. And it is very expensive (I tried).
And that is the reason, I developed a simple clone of openDNS for a hotspot provider. With custom "Blocked !" page, of course :-)
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: can I redirect https to my router?

Sun Jul 23, 2017 3:02 pm

Can you give me more details about it?

Thanks ,
 
reinerotto
Long time Member
Long time Member
Posts: 523
Joined: Thu Dec 04, 2008 2:35 am

Re: can I redirect https to my router?

Sun Jul 23, 2017 4:55 pm

Because of the costs of openDNS for commecial use, but the necessity of filtering the access to public, open hotspots of a client, I did a "worst case" DNS-server, considering several blocklists, most of all porn, of course, but also gambling etc. So no special consideration of age-ranges, because of open access.
Only filtering of domains, _not_ URL based. Quality of filter depends upon blocklists used, of course.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: can I redirect https to my router?

Mon Jul 24, 2017 12:04 am

Because of the costs of openDNS for commecial use, but the necessity of filtering the access to public, open hotspots of a client, I did a "worst case" DNS-server, considering several blocklists, most of all porn, of course, but also gambling etc. So no special consideration of age-ranges, because of open access.
Only filtering of domains, _not_ URL based. Quality of filter depends upon blocklists used, of course.
Excellent detail to point out.

So for those who don't quite get what the difference is:

somesite.example.com/family-friendly.html
somesite.example.com/porn.html

DNS blocking can only block the server somesite.example.com - meaning you couldn't get to the family-friendly.html page either. URL filters would be able to block porn.html but allow family-friendly.html
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26924
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: can I redirect https to my router?

Mon Jul 24, 2017 9:44 am

Can you give an example, where a porn hosting website would also have family oriented pages on the same domain :) ?
 
reinerotto
Long time Member
Long time Member
Posts: 523
Joined: Thu Dec 04, 2008 2:35 am

Re: can I redirect https to my router?

Mon Jul 24, 2017 10:11 am

Because of the costs of openDNS for commecial use, but the necessity of filtering the access to public, open hotspots of a client, I did a "worst case" DNS-server, considering several blocklists, most of all porn, of course, but also gambling etc. So no special consideration of age-ranges, because of open access.
Only filtering of domains, _not_ URL based. Quality of filter depends upon blocklists used, of course.
DNS blocking can only block the server somesite.example.com - meaning you couldn't get to the family-friendly.html page either. URL filters would be able to block porn.html but allow family-friendly.html
Correct. _BUT_ URL filters are much slower, beacuse of the 'work' envolved to parse the URL and some type of required data base access.
Besides, URL filters have a serious problem when https is used.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: can I redirect https to my router?

Mon Jul 24, 2017 10:16 am

true
the big problem is in https ...
this is why i thought I can take the DDNS page and then redirect it.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: can I redirect https to my router?

Mon Jul 24, 2017 12:14 pm

Can you give an example, where a porn hosting website would also have family oriented pages on the same domain :) ?
The problem is usually not that, but there are indeed cases where some people want to block "part of a site".
E.g. some site that offers games (that are seen as unwanted, e.g. timewasting) and useful content.
In general it is better to use different methods than blocking to prevent the timewasting...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26924
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: can I redirect https to my router?

Mon Jul 24, 2017 12:40 pm

Well, when there is https and nondescript URLs (like ?param=abss%aasf&aasssf), then there isn't much you can do, except offer warnings or incentives to spend time in better ways.
 
reinerotto
Long time Member
Long time Member
Posts: 523
Joined: Thu Dec 04, 2008 2:35 am

Re: can I redirect https to my router?

Tue Jul 25, 2017 2:43 pm

Can you give an example, where a porn hosting website would also have family oriented pages on the same domain :) ?
The problem is usually not that, but there are indeed cases where some people want to block "part of a site".
E.g. some site that offers games (that are seen as unwanted, e.g. timewasting) and useful content.
In general it is better to use different methods than blocking to prevent the timewasting...
In this case, you can combine URL filter + DNS filter, to get best of both worlds, at least for http.
General problem of URL filtering for https still applies, though.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: can I redirect https to my router?

Tue Jul 25, 2017 2:59 pm

Can you give an example, where a porn hosting website would also have family oriented pages on the same domain :) ?
The problem is usually not that, but there are indeed cases where some people want to block "part of a site".
E.g. some site that offers games (that are seen as unwanted, e.g. timewasting) and useful content.
In general it is better to use different methods than blocking to prevent the timewasting...
In this case, you can combine URL filter + DNS filter, to get best of both worlds, at least for http.
General problem of URL filtering for https still applies, though.
What I mean is that you probably should not try to solve it by blocking the unwanted content, but by explaining to your users
what content they are not supposed to visit and what will be the corrective actions when they still do it.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: can I redirect https to my router?

Tue Jul 25, 2017 5:32 pm

What I mean is that you probably should not try to solve it by blocking the unwanted content, but by explaining to your users
what content they are not supposed to visit and what will be the corrective actions when they still do it.
I call this layer 8 policy filtering. :)

"Stop going to YouTube on company time or you're fired."

Who is online

Users browsing this forum: aboiles and 60 guests