Redirecting web traffic from Mikrotik to internal Squid using policy based routing

There is a beginner’s guide on how to set up transparent interception of HTTP and HTTPS traffic in the network with help of external Squid proxy, Mikrotik router and Policy Based Routing.

The tutorial is available at https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.html Hope it will be helpful.

Best regards,
Dev Team

 

Posted in Linux | Leave a comment

Policy based routing with iptables and separate Squid box

A new tutorial that explains how to transparently filter HTTP and HTTPS traffic re-routed from your default gateway (router) running Ubuntu 16 (iptables) using Policy Based Routing is published on docs.diladele.com.

See full tutorial at https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

Posted in Linux | Leave a comment

Basic LDAP Proxy Auth Bites Back Again

We have set up Squid box to authenticate users using Basic LDAP scheme. Access from Internet Explorer to most of the sites works fine. But checks for certificate revocation in Internet Explorer are failing. Why?

When user tries to access the remote site Internet Explorer shows a pop up box asking the user to authenticate. After typing correct credentials into that box user is able to browse the sites.

Each time HTTPS server is accessed, Internet Explorer tries to validate the certificate that server presented using online validation checks (OSCP for example). Unfortunately this is done by Microsoft Crypto API and not by IE itself. Microsoft Crypto API cannot show a popup to the user and thus fails to authenticate.

This is clearly visible in the following sample certificate validation request in WireShark:

GET http://crl4.digicert.com/sha2-ha-server-g4.crl HTTP/1.1\r\n
Accept: */*\r\n
User-Agent: Microsoft-CryptoAPI/6.1\r\n
Proxy-Connection: Keep-Alive\r\n
Host: crl4.digicert.com\r\n
\r\n

Doing the search on Google we see the following two articles.

Recommendations

1. Use Kerberos as method of AD authentication (recommended). See https://docs.diladele.com/administrator_guide_6_0/active_directory/index.html for all required steps.

2. Bypass authentication for Microsoft Crypto API. In order to do that, add Microsoft-CryptoAPI/6.1 as user agent bypass string in UI / Squid / Auth / Exclusions / User Agent. Not recommended.

3. Do not use Internet Explorer 🙂 Up to you to decide.

 

 

Posted in Linux | Leave a comment