#1603 Blocking intercepted HTTPS domains?

closed
5
2014-07-03
2013-11-05
No

Hi,

I'm currently trying to intercept all HTTP and HTTPS requests that go over my server and redirect them to Privoxy for filtering.
This works fine for HTTP requests with the following iptables rule:
iptables -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 8118

However when I tried to redirect HTTPS requests as well via
iptables -A PREROUTING -p tcp -m tcp -i eth0 --dport 443 -j REDIRECT --to-ports 8118

I can't connect to any HTTPS website at all, not only those that I blocked (I understand from browsing through the reports that only the hostname can be blocked, not the path).
However when I enter the configuration in my client's browser(s) manually, it works fine (same browser that I used when testing the redirection).

Any ideas why this could fail?

I'm using Privoxy 3.0.19 on a Debian 7.2 system.

Help much appreciated!
John

Discussion

  • Anonymous - 2013-11-05
    • labels: --> configuration
     
  • Fabian Keil

    Fabian Keil - 2013-11-06

    The accept-intercepted-requests directive currently only works for HTTP:
    http://www.privoxy.org/user-manual/config.html#ACCEPT-INTERCEPTED-REQUESTS

    Supporting HTTPS interception is on the TODO list.

    In the meantime you might want to have a look at Squid, which already supports it.

     
  • Fabian Keil

    Fabian Keil - 2013-11-06
    • assigned_to: nobody --> fabiankeil
    • status: open --> pending
     
  • Anonymous - 2013-11-06

    Thanks for the quick feedback!
    Squid is a little heavy for my needs, but I'll see if I can find another way until the new implementation is done.

    John

     
  • Anonymous - 2013-11-06
    • status: pending --> closed
     
  • Rob

    Rob - 2014-07-02

    Hi Fabian and all,
    Firstly, really enjoying using privoxy, great work! However I think I'm having the same issue here.
    I've enabled "accept-intercepted-requests" in my config to allow me to use my router to NAT port 80 to my privoxy server, and it now works nicely for HTTP. However if I NAT port 443 in the same way, no HTTPS websites work.

    Further up in this thread post:
    http://sourceforge.net/p/ijbswa/support-requests/1603/#34d1
    you mention that its on the TODO list.. please do you have any update on that?

    Is this a privoxy limitation, or is it perhaps on purpose because doing so would break the SSL layer?

    Many thanks
    Rob

     
  • Fabian Keil

    Fabian Keil - 2014-07-03

    It's still on the TODO list (#16):
    http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/TODO?view=markup

    Unfortunately the TODO list is rather long, this is one of the more complicated items (months of work) and none of the past donors mentioned interest in this. Using donations to fund work is still work in progress, though. Obviously some users are interested.

    16 will require the client to accept Privoxy's certificates (at least for some sites), so it should only affect users who agree to this (or ignore browser warnings). Therefore I personally don't consider this breaking the TLS/SSL layer, but others might.

     
  • Fabian Keil

    Fabian Keil - 2014-07-03

    Please ignore the bold font used for the last paragraph, apparently leading #'s are silently discarded and treated as markup now. Awesome.

    Migrating to a request tracker that works as expected is on the TODO list as well ...

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks