search

coova / coova-chilli

CoovaChilli is an open-source software access controller for captive portal hotspots.
Other
518 stars 260 forks source link

Option postauthproxyssl #203

Closed lferrarotti74 closed 8 years ago

lferrarotti74 commented 8 years ago

Hi everyone, I saw that could be possible to use also this option for "Send SSL to upstream transparent proxy". Actually I had coova 1.3.1-svn running and working with an upstream proxy for everything related to HTTP traffic. If I enable it, all the HTTPS traffic is dropped. If I disable it, all the SSL traffic will go through internet directly without using the proxy. Already made some tests with and without option redirssl, but without success. Any kind of advice on how to use it in a correct way would be appreciated. The environment is OpenWRT CC based using privoxy (3.0.24). Thanks and Regards, Luca

gbaligh commented 8 years ago

I thinks that with "Transparent Proxy" you need to create SSL certificates. In fact, I think that coova-chilli will react as the EndPoint of the HTTPS connection for local hosts, and it will act as the originator of HTTPS connections with the proxy. And so, it will need a certificates to be able to encrypt/decrypt all traffic. Did you tried this ?

lferrarotti74 commented 8 years ago

Thanks for your explanation. Actually I already set in the coova-chilli configuration these parts : postauthproxy '192.168.xxx.xxx' postauthproxyport '3128' postauthproxyssl redirssl sslcafile /etc/chilli/ca.pem sslcertfile /etc/chilli/cert.pem sslkeyfile /etc/chilli/key.pem For the HTTP connection, as told before, everything is ok. When testing HTTPS website, no page will be loaded and during debug session I was able to see :

local6.debug coova-chilli[19326]: dhcp.c: 2758: rewriting packet for post-auth proxy 192.168.xxx.xxx:3128

This debug logs are present during both HTTP and HTTPS session. Enabling the debug also on the upstream proxy, during HTTPS nothing appears. Seems that the HTTPS packet will remain at coova-chilli level but no errors are visible. I do not know if it's also correct that, in debug mode, nothing about the option postauthproxyssl is visible. Any suggestion and/or modification to the config file will be well accepted.

gbaligh commented 8 years ago

postauthproxyssl is used just before the log message you gave before.