Forward HTTPS & FTP to Web-Proxy

Ghassan · Wed Mar 28, 2007 3:02 am

Hello All,

How can I forward https connection to proxy since I have 3 interfaces .

first interface = Local
2nd interface = ISP-1
3rd interface = ISP2

ISP-1 is for HTTP only that I am using .
ISP-2 is my gateway and it appears that HTTPS are coming from ISP-2 not from my web-proxy .

Another thing is that i want to forward FTP connection to my web-proxy since my Web-Proxy is in Transparent Mode .

Thank you,
Ghassan

janisk · Wed Mar 28, 2007 11:20 am

i doubt that HTTPS can be use with proxy at all.

and transparent FTP is not supported by RouterOS proxy solution

Ghassan · Wed Mar 28, 2007 2:27 pm

Notice that if I put for my client a proxy which is my MT proxy IP , it forwards everything to web-proxy or I get https from the web proxy but if I user is on port 80 he can gets only HTTP port 80 but HTTPS got directly .. they told me that i want to forward my https to web proxy so how can we forward s https to web-proxy .

Thank you,
Ghassan

Wed Mar 28, 2007 10:01 pm

https is using port 443. You must redirect port 443 traffic in order to pass https to web-proxy.

savagedavid · Wed Mar 28, 2007 10:05 pm

If you redirect port 443 it will not actually proxy the request - the proxy will merely pass on the request and not cache it. There is probably no benefit in caching HTTPS. Also how would your users feel knowing that there might be a chance of their secure transactions being cached (even if you know it is not so)?

Ghassan · Thu Mar 29, 2007 12:12 am

https is using port 443. You must redirect port 443 traffic in order to pass https to web-proxy.

I already used this rule before I post this topic , i got msn and everything uses SSL down ...

Notice that if I made some settings at our clients or If i put proxy for explorer and passes through local .. surfing gets much better with it but if I left it at normal settings which is default port 80 it will only cache HTTP requests , another thing is do not forget that some pictures and exe files are being downloaded from HTTPS .

What do you think the best solution for HTTPS request and how can we forward it to cache ?

Ghassan · Thu Mar 29, 2007 12:15 am

If you redirect port 443 it will not actually proxy the request - the proxy will merely pass on the request and not cache it. There is probably no benefit in caching HTTPS. Also how would your users feel knowing that there might be a chance of their secure transactions being cached (even if you know it is not so)?

I only want to cache pictures and file extensions that can be downloaded .

shielder · Thu Mar 29, 2007 7:06 am

do not try to forward https to proxy, you would have problems with signing in to email or bank account. But for FTP, you could try, but you need to increase the maximum cache size of your proxy

Thu Mar 29, 2007 9:44 am

do not try to forward https to proxy, you would have problems with signing in to email or bank account. But for FTP, you could try, but you need to increase the maximum cache size of your proxy

As it was mentioned before MT does not support transparent FTP in v2.9

Ghassan · Thu Mar 29, 2007 12:02 pm

So do you mean that all versions do not support Transparent FTP .

Is there any idea to cache https , actually not all https but only pictures or extensions like exe as it seems that most websites are securing their files by HTTPS .

any solution for FTP !

The Grog · Thu Mar 29, 2007 10:02 pm

For pure security reasons you can't cache HTTPS and for a good reason.

Most secure sites will not accept the connection in the first place and those that do are NOT secure anyway. Please read documention on why it is not suppose to work from squid-cache for example.

It is pretty simple and is due to the man-in-the-middle attacks, making a supposed secure connection insecure. Any proper web proxy server has not implemented this and never will.

Ghassan · Thu Mar 29, 2007 11:42 pm

But if I changed my settings to Transparent Mode = no and apply new settings for clients by putting the same proxy for all protocols : Http , Secure , FTP , Socks ...

after changing , i found some changes with HTTPS , much faster than before ... so i knew that is from cache since you can manage access or filter caching ..

tplecko · Mon Jun 11, 2007 12:36 pm

What if you only want to deny sites?

We use MT WEB-PROXY only for filtering web content. The problem is that most of the web servers (including my company's) will accept https connections by default wich then bypasses my proxy and the user can visit the forbidden site anyway...

Can this be done?

Ghassan · Tue Jun 12, 2007 3:20 am

What if you only want to deny sites?

We use MT WEB-PROXY only for filtering web content. The problem is that most of the web servers (including my company's) will accept https connections by default wich then bypasses my proxy and the user can visit the forbidden site anyway...

Can this be done?

Anyway , i have finished our servers .. if anyone requested the blocked websites via 80 or 443 then he/she will get a website that shows access denied .

all it was done by blocking websites that are on access-list .

I am glad to help you .

Ghassan.

Forward HTTPS & FTP to Web-Proxy

Forward HTTPS & FTP to Web-Proxy

Re: Forward HTTPS & FTP to Web-Proxy

Re: Forward HTTPS & FTP to Web-Proxy

Who is online