Hello,
I have to block HTTPS connection for costumers that don't pay and redirect every connection to a page that says "You forgot to pay this month" and other things.
How can I do that?
Re: Block HTTPS sites
Blocking is possible, redirecting is not as it would require breaking HTTPS security. Simply drop outbound TCP/UDP port 443.
Re: Block HTTPS sites
Create group in address list and move customers(who not pay) to this group. In firewall do "redirect" to you web-server with message "Pay for services" .
-
-
vecernik87
Forum Veteran
- Posts: 891
- Joined:
Re: Block HTTPS sites
Just 2 cents from me: Firewall feature you are looking for is called TLS-Host: https://youtu.be/XkKj9rj4quQ?t=28m44s
That will allow your firewall to get proper traffic for dropping.
In terms of redirecting, I don't think it is going to work. If the server is using HSTS, browsers will simply refuse to connect and will not even offer the button to overcome famous "connection not secure" message
That will allow your firewall to get proper traffic for dropping.
In terms of redirecting, I don't think it is going to work. If the server is using HSTS, browsers will simply refuse to connect and will not even offer the button to overcome famous "connection not secure" message
Re: Block HTTPS sites
Hello,
I have to block HTTPS connection for costumers that don't pay and redirect every connection to a page that says "You forgot to pay this month" and other things.
How can I do that?
You can't redirect HTTPS, because when browser try to connect to a HTTPS site for example https://facebook.com it first get and check the provided certificate to be valid and signed by a root CA for requested domain, which practically no one can obtain it other than facebook. If you provide a self signed certificate browser consider it a MITM attack and warn the user.
Re: Block HTTPS sites
Could you give an example of how to do this and create the group and how to redirect them. Would be very appreciated. Thanks.Create group in address list and move customers(who not pay) to this group. In firewall do "redirect" to you web-server with message "Pay for services" .
Re: Block HTTPS sites
Please listen to the people saying this is not possible. If anyone could redirect HTTPS, what's to stop anyone on the internet doing that to google or a banking website? Redirecting HTTPS is only possible if you also own all the client devices and have installed a MITM root certificate into the OS. If you try to do it anyway, you will cause users to see security errors in their browser.
If you tell your users to ignore the error, you are training them in the worst possible way as when a legitimate error happens they will happily ignore it and end up with all their data stolen (example). As an ISP you hold a certain amount of responsibility as users will generally believe you to be more technically competent than themselves, don't abuse that by trying to do bullshit things like HTTPS interception.
The correct solution for this use case is to redirect all DNS and HTTP connections to a local site and block internet access. Modern operating systems and phones will recognize this as a captive portal situation and direct the user to the desired page.
If you tell your users to ignore the error, you are training them in the worst possible way as when a legitimate error happens they will happily ignore it and end up with all their data stolen (example). As an ISP you hold a certain amount of responsibility as users will generally believe you to be more technically competent than themselves, don't abuse that by trying to do bullshit things like HTTPS interception.
The correct solution for this use case is to redirect all DNS and HTTP connections to a local site and block internet access. Modern operating systems and phones will recognize this as a captive portal situation and direct the user to the desired page.
Re: Block HTTPS sites
Sorry about the confusion, I am not asking to or how to block HTTPS, I am asking how can I redirect customers on my network to a website for customers that forgot to pay their monthly payments. Typically this can be done with http, but I am unsure about the procedure on how to create it.Please listen to the people saying this is not possible. If anyone could redirect HTTPS, what's to stop anyone on the internet doing that to google or a banking website? Redirecting HTTPS is only possible if you also own all the client devices and have installed a MITM root certificate into the OS. If you try to do it anyway, you will cause users to see security errors in their browser.
If you tell your users to ignore the error, you are training them in the worst possible way as when a legitimate error happens they will happily ignore it and end up with all their data stolen (example). As an ISP you hold a certain amount of responsibility as users will generally believe you to be more technically competent than themselves, don't abuse that by trying to do bullshit things like HTTPS interception.
The correct solution for this use case is to redirect all DNS and HTTP connections to a local site and block internet access. Modern operating systems and phones will recognize this as a captive portal situation and direct the user to the desired page.
Re: Block HTTPS sites
I was looking for the same thing but I think it's impossible to redirect HTTPS.Please listen to the people saying this is not possible. If anyone could redirect HTTPS, what's to stop anyone on the internet doing that to google or a banking website? Redirecting HTTPS is only possible if you also own all the client devices and have installed a MITM root certificate into the OS. If you try to do it anyway, you will cause users to see security errors in their browser.
If you tell your users to ignore the error, you are training them in the worst possible way as when a legitimate error happens they will happily ignore it and end up with all their data stolen (example). As an ISP you hold a certain amount of responsibility as users will generally believe you to be more technically competent than themselves, don't abuse that by trying to do bullshit things like HTTPS interception.
The correct solution for this use case is to redirect all DNS and HTTP connections to a local site and block internet access. Modern operating systems and phones will recognize this as a captive portal situation and direct the user to the desired page.
Sorry about the confusion, I am not asking to or how to block HTTPS, I am asking how can I redirect customers on my network to a website for customers that forgot to pay their monthly payments. Typically this can be done with http, but I am unsure about the procedure on how to create it.
Re: Block HTTPS sites
Create a hotspot for that network, edit the login.html with message "Pay for services".
If they paid - disabled the hotspot
If they don't paid - enable the hotspot, it will redirect them.
If they paid - disabled the hotspot
If they don't paid - enable the hotspot, it will redirect them.
Re: Block HTTPS sites
There is no use in going on and on about this. It cannot be done. Period.
You can only block all network access for customers that do not pay. You cannot show them a page.
Live with it.
You can only block all network access for customers that do not pay. You cannot show them a page.
Live with it.
-
-
reinerotto
Long time Member
- Posts: 524
- Joined:
Re: Block HTTPS sites
R1CH had the best proposal: Fake a Captive Portal. Implementation details depend upon your network structure, i.e. using DNS-hijack.
And might not be so simple, though.
However, will work without flaws on http only, but on connecting devices the Captive Portal Detection will be triggered, and you can display your request for $.
And might not be so simple, though.
However, will work without flaws on http only, but on connecting devices the Captive Portal Detection will be triggered, and you can display your request for $.