-
Notifications
You must be signed in to change notification settings - Fork 1
MITM Filtering HTTPS
The SSL MITM option allows https sites to be content checked.
HTTPs interception can be configured per group.
In case of the site being banned the user gets a proper block page as usual and full https urls are logged, https urls can be whitelisted when site as a whole is banned and content can be content checked.
The biggest hurdle is that in order for MITM to be usable a private root CA certificate has to be installed on each browser and that more processing power is needed on the server in order to encrypt and decrypt the traffic.
Please Note: In versions before v5 SSL MITM is ONLY available in IMPLICIT PROXY mode. Redirecting port 443 to the e2guardian port will NOT WORK. If you want your users have a 'transparent' service you should set up a method of automatic proxy detection, such as WPAD. Even in v5 which has a transparent proxy mode for https, setting up autoproxy detection is a good idea, as implicit proxy mode is preferable to transparent mode.
Also openssl version must support SNI and X508_V_FLAG_TRUSTED_FIRST for cert checking to work ok with mozilla CA bundle. Generally openssl v1.0.2 or later is required, although on some distributions these features have been back ported to v1.0.1. A minimum of openssl v1.1.0 will be required from e2g v5.5 onwards.
The request from the client is intercepted, a spoofed certificate supplied for the target site and an encrypted connection made back to the client. A separate encrypted connection to the target server is set up. The resulting http decrypted stream is then filtered as normal.
Before you proceed any further please make sure that your E2G installation is compiled with sslmitm support otherwise it just won't work. To check you can run e2guardian -version and in the output look for --enable-sslmitm=yes. If you cannot see that then your e2guardian installation does not support SSL traffic interception.
You can place all the certificates wherever you'd like, but make sure they are not exposed, especially the private keys. /etc/e2guardian/private is a good default (note you will have to create the dir yourself).
- Generate a key for the rootCA: openssl genrsa 4096 > private_root.pem
- Generate the root CA certificate: openssl req -new -x509 -days 3650 -key private_root.pem -out my_rootCA.crt
- Create a DER format version of root certificate: openssl x509 -in my_rootCA.crt -outform DER -out my_rootCA.der
- Generate a key for use with upstream SSL conections: openssl genrsa 4096 > private_cert.pem
- Create a directory called generatedcerts to store the generated certificates. This directory must be writable by the e2guardian user
To get MITM to work you need to configure it in the main config file, e2guardian.conf, and then enable it on the group config, e2guardianfx.conf.
cacertificatepath = '/usr/local/etc/e2guardian/private/my_rootCA.crt'
caprivatekeypath = '/usr/local/etc/e2guardian/private/private_root.pem'
certprivatekeypath = '/usr/local/etc/e2guardian/private/private_cert.pem'
generatedcertpath = '/usr/local/etc/e2guardian/private/generatedcerts'
To enable MITM for a specific group set sslmitm = on in that group's e2guardianfx.conf file.
A note about sslcertcheck, to not be confused with mitmcheckcert: former is only used when mitm is off, it makes a connect to the proxy to check the target host certificate and will abort client connection if cert check fails; mitmcheckcert is by default on in MITM mode and does a certificate check on making a SSL connection to a target host after e2g has already established a ssl session with the browser and if cert check fails a block page is returned to the user with the reason for the block.
Sites in the exception lists are treated in the same way as before (i.e. NOT unencrypted) so sites dealing with sensitive information that should not be intercepted (e.g. bank finance, account logins, etc) and other sites deemed 'safe' can be made exempt from being examined.
You may notice that a file/list called bannedsslsites, but to be clear that list's job is to block SSL sites when MITM is not enabled and you want to block CONNECTs.
To get MITM to work make sure to set ssllegacylogic = off in e2guardianfx.conf (this is default)
Also if option onlymitmsslgrey = 'on' then only sites in the greysslsitelist will be MITM - This may be useful if you have limited processing power on your system.
Because a connection is intercepted and re-encrypted with a self-signed certificate, browsers will throw an error that the connection is not safe. To fix this all clients will need to install and trust your CA/certificate.
To do this you need to make available the my_rootCA.crt and my_rootCA.der you created earlier in the process. These can be copied to a local web servers for users to download.
See notes/certificate_errors for some errors that can occur with certificates when using MITM.