OpenWrt Forum Archive

Topic: Filter HTTPS traffic with Tinyproxy

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have a TP-Link TL-WR1043ND router running OpenWrt Backfire 10.03.1. I have installed Tinyproxy and can deny web requests to certain websites based on URL or regular expression. My filter file contains the following:

.*google.*imghp.*
.*google.*tbm=isch.*

This blocks all Google image search results. However, it's super easy to bypass the filter by using HTTPS instead of HTTP.

I've read this question on SuperUser, which suggests to me that it is possible to block a web request using HTTPS based solely on the URL. However, adding https://www.google.com to my filter file doesn't block it at all.

I had a hunch this had something to do with the "ConnectPort" option in Tinyproxy, so I removed port 443 from the list to no effect.

I understand that HTTPS traffic is encrypted, so typically a proxy can't do anything about it. However, the Tinyproxy website clearly states that it has HTTPS support:

Tinyproxy allows forwarding of HTTPS connections without modifying traffic in any way through the CONNECT method (see the ConnectPort directive).

Unfortunately, the documentation on Tinyproxy is extremely sparse.

Manpages are the primary documentation for Tinyproxy. After installing Tinyproxy, run the following command to see its manpages:

man tinyproxy tinyproxy.conf

The Tinyproxy manpages have very little to say about the ConnectPort directive:

ConnectPort

This option can be used to specify the ports allowed for the CONNECT method. If no ConnectPort line is found, then all ports are allowed. To disable CONNECT altogether, include a single ConnectPort line with a value of 0.

So how can I achieve what I want?

(Last edited by davidkennedy85 on 12 Jan 2013, 08:41)

Here are my firewall rules, if anyone is interested:

firewall.@redirect[0]=redirect
firewall.@redirect[0].name=Transparent Proxy Redirect
firewall.@redirect[0].src=lan
firewall.@redirect[0].proto=tcp
firewall.@redirect[0].dest_port=3128
firewall.@redirect[0].src_dport=80
firewall.@redirect[0].src_dip=!192.168.1.1
firewall.@redirect[0].dest_ip=192.168.1.1

I followed these directions to set up Tinyproxy to run transparently, but even when it wasn't transparent it didn't filter HTTPS traffic. 3128 is the port the Tinyproxy is listening on.

I tried changing the src_dport to 443, which caused any HTTPS requests to return a ssl_error_rx_record_too_long error in the browser.

It would appear the Tinyproxy build that runs on OpenWrt does not have SSL support:

root@OpenWrt:~# ldd $(which tinyproxy)
        libresolv.so.0 => /lib/libresolv.so.0 (0x2aabe000)
        libnsl.so.0 => /lib/libnsl.so.0 (0x2aacf000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2aae0000)
        libc.so.0 => /lib/libc.so.0 (0x2ab00000)
        ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x2aaa8000)

I learned on #openwrt that there should be a reference to libcrypto.so or libssl.so.

davidkennedy85 wrote:

Here are my firewall rules, if anyone is interested:

firewall.@redirect[0]=redirect
firewall.@redirect[0].name=Transparent Proxy Redirect
firewall.@redirect[0].src=lan
firewall.@redirect[0].proto=tcp
firewall.@redirect[0].dest_port=3128
firewall.@redirect[0].src_dport=80
firewall.@redirect[0].src_dip=!192.168.1.1
firewall.@redirect[0].dest_ip=192.168.1.1

I followed these directions to set up Tinyproxy to run transparently, but even when it wasn't transparent it didn't filter HTTPS traffic. 3128 is the port the Tinyproxy is listening on.

I tried changing the src_dport to 443, which caused any HTTPS requests to return a ssl_error_rx_record_too_long error in the browser.

You'are redirecting all traffic to all websites to Tinyproxy, that causes "any HTTPS requests to return a ssl_error_rx_record_too_long error". Your firewall rule should redirect only traffic to Google.
However, because Tinyproxy in transparent mode (which receives traffic to it via firewall, not via browser config) cannot parse HTTPS URL, this means all Google's sites are blocked.

davidkennedy85 wrote:

It would appear the Tinyproxy build that runs on OpenWrt does not have SSL support:

I learned on #openwrt that there should be a reference to libcrypto.so or libssl.so.

Yes, to fit in a small flash memor, OpenWrt have to remove SSL support in its default build. However, it is possible to rebuilt with SSL support (but I haven't try with Tinyproxy yet, just LuCi).

Anyway, rebuilding Tinyproxy with SSL support does not mean it works in your use case. SSL-supporting Tinyproxy only work with HTTTPS via browser config, not as transparent proxy.

The discussion might have continued from here.