On Tue, Jun 14, 2016 at 8:05 AM, Ted Wynnychenko <ted....@comcast.net> wrote: > Hello > > For many years now I have been using a DNS black hole setup to stop http/https > connections to blocked websites (well, any connection to those sites). This > has > worked well. > > Connections with http are routed to an IP on the internal network which > returns > a simple "blocked" web page. > > Connections with https come back to the browser complaining of a certificate > error (clearly, the HTTPS certificate of the web-server at the redirected IP > does not have a valid certificate for any blocked site). > > This really isn't a big deal; but as more sites have started using https, and > as > tools such as relayd and squid (and others?) have developed ways to "inject" > https certificates on the fly, I am wondering if there is a way to create > https > certificates based solely on the requested URL in a connection attempt using > an > internal CA to avoid the certificate errors with blocked HTTPS connections? > > In other words, rather than having an "SSL-MITM" setup, where the proxy goes > out > and connects to the ultimate destination before responding to the client with > a > forged certificate; all I want is for the "proxy" to generate a certificate > for > the requested URL signed by a locally trusted CA, before returning a static > "blocked" webpage. > > This (to me) seems simpler than what has already been accomplished with > relayd. > > I have been looking at relayd, and I don't think it will do what I want (or, > at > least, I can't figure it out). I also have been unable to find anything else > that will help me with this. > > Are there any tools available to do what I am looking for? Or, is there a way > to setup relayd to accomplish this? > > Thanks > > [demime 1.01d removed an attachment of type application/x-pkcs7-signature > which had a name of smime.p7s] >
Not an answer, but an alternative: I use haproxy for this type of thing; configure SSL on haproxy, route bad actors to a different backend. SSL configuration doesn't have to change at all for this to work. Whether it will meet your needs or not I can't say, but nothing jumps out at me as a major blocker.
