#1603 Blocking intercepted HTTPS domains?

closed
Fabian Keil
5
2014-07-03
2013-11-05
Bearks
No

Hi,

I'm currently trying to intercept all HTTP and HTTPS requests that go over my server and redirect them to Privoxy for filtering.
This works fine for HTTP requests with the following iptables rule:
iptables -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8118

However when I tried to redirect HTTPS requests as well via
iptables -A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j REDIRECT --to-ports 8118

I can't connect to any HTTPS website at all, not only those that I blocked (I understand from browsing through the reports that only the hostname can be blocked, not the path).
However when I enter the configuration in my client's browser(s) manually, it works fine (same browser that I used when testing the redirection).

Any ideas why this could fail?

I'm using Privoxy 3.0.19 on a Debian 7.2 system.

Help much appreciated!
John

Discussion

  • Bearks
    Bearks
    2013-11-05

    • labels: --> configuration
     
  • Fabian Keil
    Fabian Keil
    2013-11-06

    • assigned_to: nobody --> fabiankeil
    • status: open --> pending
     
  • Bearks
    Bearks
    2013-11-06

    Thanks for the quick feedback!
    Squid is a little heavy for my needs, but I'll see if I can find another way until the new implementation is done.

    John

     
  • Bearks
    Bearks
    2013-11-06

    • status: pending --> closed
     
  • Rob
    Rob
    2014-07-02

    Hi Fabian and all,
    Firstly, really enjoying using privoxy, great work! However I think I'm having the same issue here.
    I've enabled "accept-intercepted-requests" in my config to allow me to use my router to NAT port 80 to my privoxy server, and it now works nicely for HTTP. However if I NAT port 443 in the same way, no HTTPS websites work.

    Further up in this thread post:
    http://sourceforge.net/p/ijbswa/support-requests/1603/#34d1
    you mention that its on the TODO list.. please do you have any update on that?

    Is this a privoxy limitation, or is it perhaps on purpose because doing so would break the SSL layer?

    Many thanks
    Rob

     
  • Fabian Keil
    Fabian Keil
    2014-07-03

    It's still on the TODO list (#16):
    http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/TODO?view=markup

    Unfortunately the TODO list is rather long, this is one of the more complicated items (months of work) and none of the past donors mentioned interest in this. Using donations to fund work is still work in progress, though. Obviously some users are interested.

    16 will require the client to accept Privoxy's certificates (at least for some sites), so it should only affect users who agree to this (or ignore browser warnings). Therefore I personally don't consider this breaking the TLS/SSL layer, but others might.

     
  • Fabian Keil
    Fabian Keil
    2014-07-03

    Please ignore the bold font used for the last paragraph, apparently leading #'s are silently discarded and treated as markup now. Awesome.

    Migrating to a request tracker that works as expected is on the TODO list as well ...