Score:0

Server

How to show an internal static page to IP addresses list?

acgbox

11/28/23, 4:44 PM

I have a ubuntu 22.04 server, a list of ip addresses of users on my local network and I want to redirect http/https traffic from this list to a local informative html page. Similar to how a hotspot would. I have tried with apache2, squid, wpad (252 dhcp), iptables, but I have not been able to. https does not redirect.

how do i do it?

117

2 + 11

iptables

squid

radius

wpad

apache2

vidarlo

11/30/23, 1:59 PM

You have a long string of questions about blocking web content some way or other. This makes me wonder what your end goal is? Maybe it's better to ask for a solution to the *problem* you're attempting to solve, rather than a string of questions focusing on the bits and pieces that *you* think will give you a solution?

acgbox

12/1/23, 9:29 PM

If there is any part of the question that I don't understand, I am happy to explain.

vidarlo

12/1/23, 9:35 PM

Well, as I allude to: what is your end goal? What is your environment? What is your constraints? You've previously ruled out SSL Bump in squid, so how do you expect to be able to MITM content?

acgbox

12/1/23, 10:58 PM

what is your end goal?: this is described in the question (Show the end user a static html informative page when the https block occurs). What is your environment? this is described in the question (ubuntu 22.04). Regarding squid-ssl-bump, it is not an alternative to use. I would appreciate it if you ask things that are not described in the question. Thanks in advance

vidarlo

12/2/23, 6:23 AM

Well, if ssl bump is not an alternative, what you ask is not possible.However, your end goal is probably to block web content for some reason - informing us of the bigger picture may lead to better solutions. As I wrote you have a string of questions relating to blocking web content, asking for the overall solution may give you solutions you don't know about.

Nikita Kipriyanov

12/13/23, 10:19 AM

@acgbox: this is clearly an [XY problem](https://xyproblem.info/). You are constantly asking us about how to solve those Y problems. This "show the end user static page" is an Y problem too. So well, what is your X problem?

acgbox

12/13/23, 2:12 PM

@NikitaKipriyanov My X problem is that I can't redirect the https requests (TCP 443) from the users to the static html page. Neither with apache, nor with iptables. I don't mention squid because the answer is ssl-bump and it is not a valid option for me. With http requests (TCP 80) I have no problems.That's why I mention the hotspot, because according to what I've investigated it would be the only way out. Here is another option to do it with wpad (dhcp 252), but I tried it and it didn't work for me. maybe i did something wrong https://stackoverflow.com/a/37757337/8747573

bjoster

12/13/23, 5:03 PM

Easy answer: You *want* a captive portal (for a given ACL, for example), but with SSL ("let the portal answer, wven request originates in SSL"). This is just not possible without breaking (=issuing "own" certificates for given names, trustworthy because of ICA certificate rollout) SSL, like *some* enterprise captive portals do. And even then it's tough across all browsers.

vidarlo

12/13/23, 5:41 PM

@acgbox Well, the answer is you *can't* - by design. Hotspots are not magic, but operating systems tend to probe a http URL to detect captive portals. [Here's the documentation for how Firefox](https://support.mozilla.org/en-US/kb/captive-portal) solves this. But as mentioned by bjoster, it's a tough task, and you may be better served by actually employing a pre-made captive portal solution

acgbox

12/13/23, 7:27 PM

And the wpad (252 dhcp) implementation? https://stackoverflow.com/a/37757337/8747573

vidarlo

12/13/23, 9:21 PM

It won't help you. The browser will use your proxy. When your proxy responds with anything but 200 on a CONNECT request, the browser will show the browsers builtin error page.

Score:2

Server

vidarlo

11/28/23, 9:54 PM

iptables can't redirect ip:443 to another ip:port (where I have apache2 virtualhost published with the info block page)

You could redirect the TCP/IP stream, but the browser will show a security warning, as you'll be unable to present a valid certificate.

squid-cache only shows information in the browser when it is an http page with "error page" (Custom error pages not displayed for HTTPS) (for more information check here)

As you note, browsers don't show error page for TLS; upon receiving anything but a 200 code, they show their own error message.

Almost all traffic today is TLS encrypted, and you can't view it or modify it. That is: You cannot claim you're example.com, nor can you redirect example.com to anything else.

Unless you have total control over the clients, and can install a new root certificate, you can't claim to be example.com.

PS: In case there is some method to block and display a blocking page that allows https traffic (tcp 443) to go to this page, I would appreciate a detailed explanation with specific examples..

There is no such method that works with modern browsers, and that is not a mistake; it's a design feature of tls. It's supposed to stop man in the middle attacks - which is essentially what you're attempting to do.

So no, there is no method to achieve what you attempt to achieve. If there was, it'd be a major security problem.

+ 6

acgbox

11/28/23, 9:57 PM

That is exactly what I am stating with my question.

vidarlo

11/28/23, 10:07 PM

It's also the answer to your question, even if you don't like the answer.

acgbox

11/28/23, 10:12 PM

Well, actually, you're wrong. Yes there are methods (I mentioned it in the question), but I can't apply them in my environment

vidarlo

11/28/23, 10:17 PM

Which methods? Is there *any* modern browser that allows downgrade or unsecured redirects? If so that's certainly a bug.

acgbox

12/9/23, 6:08 PM

Update question. Negative vote retired

vidarlo

12/9/23, 6:41 PM

First of all, completely changing the question after getting answers is generally a bad thing, as it makes the answers look strange. Second, the answer is still *not possible*, **by design**. HTTPS is *designed* not to allow anyone to replace content.

Score:1

Server

Mikael H

11/28/23, 6:10 PM

You can’t both block users and serve them content.

If I wanted people to know they’d been blocked I would probably set up an access control list in my reverse proxy/load balancer and direct clients with banned IP addresses to a static page hosted either internally or with a content delivery network.

+ 1

acgbox

11/28/23, 9:31 PM

that's exactly what i'm asking

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to show an internal static page to IP addresses list?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.