5

I'd like to force HTTP(S) traffic to certain websites from my home network through a proxy running on a VPS.

I installed tinyproxy on the VPS, running on port 8080. On my computer I'm running 

sudo ssh -i /home/user/.ssh/id_rsa -nNT -L 80:localhost:8080 -L 443:localhost:8080 remoteuser@vps

to access the proxy locally. When I configure localhost:80 as a proxy in Firefox' settings everything works fine (HTTP and HTTPS).

But as I don't want all traffic to go through that proxy, I added this to my PC's /etc/hosts:

127.0.0.1     server.example

server.example is the name of a webserver configured for both HTTP and HTTPS.

Accessing http://server.example works, while opening https://server.example in Firefox fails with the error

SSL_ERROR_RX_RECORD_TOO_LONG

Also curling the page over HTTPS fails:

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

As far as I understand this issue is caused by tinyproxy responing to the HTTPS request with plain HTTP.

First, is it theoretically possible to implement what I want? Those so-called "Smart DNS" services seem exactly to do that.

Is this problem caused by my setup or is tinyproxy rather not able not do that? Is there a different proxy server which is capable of that?

EDIT: At the moment I'm running the SSH tunnel on my PC and the DNS modification is also locally, but I'd like to deploy this on my router later, so that the traffic from any device of my network goes through this proxy.

EDIT2: As @SteffenUllrich wrote in the comments, when HTTPS is routed over a HTTP proxy, the client first sends an unencrypted CONNECT repuest before the handshake happens. See here (SSH tunnel to VPS is running on 10.0.5.4):

https://i.sstatic.net/Hh5WL.png

This is necessary, because else the proxy wouldn't be able to determine to which server the request should be forwarded to.

But how exactly do those "Smart DNS" proxy servers work? (For general information see here)

Because they do not need CONNECT requests, they seem to be working without. But how can they tetermine the server the request should be forwarded to? Here's a dump of a HTTPS connection using such a "Smart DNS" proxy (IP is 37.x.x.x). (The DNS is manipulated to point to that proxy):

https://i.sstatic.net/NzDrX.png

So, how does this work? And furthermore, is there a way to archieve that on my VPS (maybe not with Tinyproxy, but with other software)?

Improve this question
6
  • I think you are looking into the wrong direction. Have a look at dynamic proxy configuration using PAC files instead, which allows you to specify different proxies (or direct connection) for different targets. See en.wikipedia.org/wiki/Proxy_auto-config#The_PAC_File
    – Steffen Ullrich
    Commented Nov 15, 2017 at 16:49
  • PAC/WPAD seems quite complex to me. Some clients dont support the DHCP configuration for WPAD, on Android the PAC file needs to be specified manually, some other clients may dont support PAC at all. So I would first try to get the DNS thing working. But if that did not work, I would go for PAC/WPAD.
    – tr01
    Commented Nov 15, 2017 at 18:07
  • If I understand your question correctly you are trying to configure a single browser on a single machine to use a proxy in some cases and not a proxy in others. In this case a local PAC file (i.e. file:///...) should be sufficient.
    – Steffen Ullrich
    Commented Nov 15, 2017 at 18:30
  • And as for the error message: tinyproxy is a HTTP proxy and expects HTTP proxy requests not plain HTTP traffic. This means in case of HTTPS it expects a CONNECT request first to create a tunnel instead of directly starting with the TLS handshake. In order to speak the expected proxy protocol it is not enough to configure DNS but you must have the browser to be configured to use a proxy.
    – Steffen Ullrich
    Commented Nov 15, 2017 at 18:33
  • Sorry @SteffenUllrich, my question was unclear. Furthermore, I have put my comments into the original question
    – tr01
    Commented Nov 15, 2017 at 20:09

2 Answers 2

Reset to default
1

Looks like tinyproxy won't really transparently proxy HTTPS connections, the client has to use the CONNECT method which means it has to be setup to use the proxy.

You cannot transparently proxy HTTPS without installing a MITM certificate anyway, otherwise each access will give you certificate errors or fail due to that reason.

You probably need something more sophisticated like squid.

Improve this answer
1
  • What do you exactly mean with MITM certificate? A self-signed one for any site the proxy forwarded? But that would cause certificate errors on my client, right?
    – tr01
    Commented Nov 15, 2017 at 19:52
0

But how exactly do those "Smart DNS" proxy servers work? They do not need CONNECT requests, they seem to be working without.

I think these Smart DNS proxies work by extracting the target domain from the HTTP request for plain HTTP. For HTTPS they probably extract the domain from the SNI TLS extension in the ClientHello message at the start of the TLS handshake.

A similar setup could be build for example with the squid proxy. This proxy can be configured to be used as transparent proxy at the central router. Since all clients use this router as gateway to the internet the traffic on the relevant ports (80,443 for http and https) can be redirected to the proxy with packet filter rules, i.e. no special DNS setup is needed.

The proxy then can extract the real target from the HTTP header (plain HTTP) or the ClientHello (HTTPS) without breaking the SSL encryption - see squid:SSL Peek And Splice for details. The squid proxy can also be configured to have different upstream proxies (like your VPS) or direct connection depending on the target.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .