Blocked HTTPs error page

webfilter
v7

(khaled sadek) #1

NethServer Version: 7
Module: webproxy web fillter

for blocked HTTPs the error page is Cert invalid error is this any way to change it blocked message as the blocked HTTP traffic


(Giacomo Sanchietti) #2

The certificate is valid but the browser can display it as invalid because it is redirected from another site.

Example:

There is no solution for it.


(Michael Träumner) #3

What is about creating a dynamic (fake) certificate of the site which should be redirected? This method is done at the “old” transparent squid with ssl bump.


(Giacomo Sanchietti) #4

You will still have the same issue if the client doesn’t have the fake CA certificate installed.

Thus, the actual implementation has this issue only for certain sites (IIRC is something related with HSTS).


(Michael Träumner) #5

Hi Giacomo,
thanks for your answer

I think the client expects a certificate from the side you want to open, for example GMX. GMX certificate is at an online certificate server, so your browser knows this certificate. Does the browser get the difference between the fake and the original?

Why does it work with full decryption with ssl-bump?


#6

i’m planning to make some tesst withtransparent proxy and https (and wccp2)… is this problem still present, right?
what if i use as redirect page an internal server with a valid cert (i need it to customize the error page)? if i understand correctly i wil always have the cert error right?

tnx


(Giacomo Sanchietti) #7

I can answer yes to both question, but I never encountered such problem after months of transparent ssl proxy with blocking filter :wink:


#8

an enigmatic answer :thinking: :relaxed:
i have tried to setup the proxy and yes i’ve the cert error on HSTS sites (like facebook) but also on other https like ryanair.com (i must accept the cert and continue to see the block page) or others sites inserted in blacklist.
all is working as expected with http, so i don’t think it’s a problem with wccp2 which seems to work (at least at l2 then i will test with gre config)
from what I understand this problem should always be present,so the question is: why you don’t have such problem? :grin:


(Giacomo Sanchietti) #9

Probably because we have very little blocked sites, like advertising and maybe p2p.

Sometime I see the red page inside some sites where advertising banner are blocked.