Thank you Tom. I'd seen that there were various guides around for using
Squid as an intercepting proxy, but I don't want to crack open the ssl,
and anyway, since I can't find how to make Alexa use a proxy, I'm not
sure it'd be any easier to find its certificate store in order to inject
a squid certificate.
All I want to do is get Shorewall (or something running on the Shorewall
server) to field 443 connections and insert an http CONNECT verb before
relaying all subsequent traffic to the school proxy. If Shorewall
doesn't itself offer such a function I presume I could use it to DNAT
https to localhost and set up a Perl script to listen on localhost:443
then open an onward connection to the school proxy, inserting the
CONNECT verb before the outgoing traffic. Unless I've totally
misunderstood how an https proxy works.
Simply injecting the CONNECT verb before starting the ssl negotiation
must be pretty much what a browser on the school network does since the
school proxy doesn't require the installation of a certificate and
doesn't intercept ssl traffic.
Regards - Philip
On 10/06/2017 17:14, Tom Eastep wrote:
> On 06/09/2017 02:43 PM, Philip Le Riche wrote:
> > A student at school is working on getting Alexa working on a
> > Raspberry Pi. I've done it on one of my Pis and it works at home,
> > but not at school, I think because of the school web proxy. There
> > seems to be a paucity of information about proxy settings for
> > Alexa, and it doesn't appear to respect the system proxy settings
> > in /etc/environment.
>
> > The Pi network is behind a Shorewall firewall to protect the
> > school network. So in a flash of inspiration, I thought I could
> > simply DNAT the http requests hitting Shorewall as default gateway,
> > so automatically redirecting them to the school proxy. That works
> > for http, but not for https.
>
> > After a little bit of digging to find out how a proxy functions
> > for https it became obvious that a simplistic DNAT couldn't work.
> > It seems that a browser, knowing that it's going through a browser,
> > first sends an unencrypted http CONNECT command before negotiating
> > the ssl tunnel.
>
> > But would it be possible to somehow configure Shorewall, on receipt
> > of a tcp:443 connection request, to inject the CONNECT command into
> > the stream before starting to relay the ssl dialogue, quoting the
> > pre-DNAT destination ip address? How (in outline) could you achieve
> > that?
>
> See
> http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https
>
> -Tom
> >
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most >
engaging tech sites, Slashdot.org! http://sdm.link/slashdot >
_______________________________________________ > Shorewall-users
mailing list > [email protected] >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
