bic
Posts: 11
Joined: Fri Nov 27, 2015 9:47 pm

A way to redirect http traffic to https

Sat Jun 15, 2019 10:16 pm

I have an old device that doesn't support SSL and I want to connect to a server that only supports SSL connection. Is there a way to put a RPi between the device and the internet to achieve this? IE point the device to the RPi and have the message encrypted and then forwarded to the external server?

Attached is a little diagram of what I'm trying to do.

In advance, please and thank you.
Attachments
Capture.PNG
Capture.PNG (12.96 KiB) Viewed 866 times
Last edited by bic on Mon Jun 24, 2019 8:47 pm, edited 1 time in total.

nigelbartlett1
Posts: 7
Joined: Mon May 06, 2019 9:39 am

Re: Old device connected through RPi for SSL connection

Mon Jun 17, 2019 5:57 pm

From what I have read I think this should be possible, but only if your old device allows you to configure a proxy server in its settings. If so I would recommend running Apache as a forward proxy.

User avatar
rpdom
Posts: 14476
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Old device connected through RPi for SSL connection

Mon Jun 17, 2019 7:11 pm

I think it might be possible with some DNS wrangling, two network interfaces and a reverse proxy server.

1. Set up dnsmasq on the Pi to issue an IP address to the device and also provide DNS lookup.

2. Configure dnsmasq to fake the IP address of the https server as being its own address when requested by the device.

3. Install nginx or something similar on the Pi and have it respond to the http: request and forward it to the read https server.

I'm assuming the device uses DHCP to get its IP address and DNS server address(es). If it is using a static address instead it would be even easier as you just point the DNS IP at Pi to provide the fake DNS and don't worry about using two interfaces.

nigelbartlett1
Posts: 7
Joined: Mon May 06, 2019 9:39 am

Re: Old device connected through RPi for SSL connection

Thu Jun 20, 2019 12:04 pm

I tested my suggestion of using a forward proxy with Apache and it worked. As I don't have access to your old device I used Chromium with the option --proxy-server= option for testing.

My forward proxy configuration for Apache is as follows:

Code: Select all

# -----------------------------------------------------------------------------------------------
# Apache forward proxy to send www.example.com traffic to https://www.example.com
# -----------------------------------------------------------------------------------------------

<VirtualHost *:80>
	ServerName www.example.com
	ServerAlias example.com

# Create the forward proxy
	ProxyRequests On
	ProxyPreserveHost On
	SSLProxyEngine On

# Switch from http to https
	Redirect "/" "https://www.example.com"

# Standard logging
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Note Apache say "Because forward proxies allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy."

Post updated with, perhaps, a better way to do the redirection from http to https.

bic
Posts: 11
Joined: Fri Nov 27, 2015 9:47 pm

Re: Old device connected through RPi for SSL connection

Mon Jun 24, 2019 8:46 pm

Thanks! I'll definitely give it a try! Thank you. Also updated subject, nice suggestion.

bic
Posts: 11
Joined: Fri Nov 27, 2015 9:47 pm

Re: A way to redirect http traffic to https

Thu Jul 04, 2019 4:32 am

While I got this working with both Apache and NGINX for incoming messages (Internet to my LAN) I can't get it working for my outbound messages (internal LAN to external host) any suggestions?

nigelbartlett1
Posts: 7
Joined: Mon May 06, 2019 9:39 am

Re: A way to redirect http traffic to https

Sun Jul 07, 2019 9:08 am

Oops! It turns out my suggestion wasn't doing what you wanted. I've spent some more time playing with the Apache forward proxy, and, in every configuration I tried, it didn't work. What was happening was that the first HTTP GET request from my client was being answered with HTTP status 301 (permanent redirect, to https in this case) and my client happily accepted this, as it does have https support. This is no use to you at all.

Still, nil desperandum and all that. I followed up rpdom's idea to use a reverse proxy and this worked. Using the naming in your diagram I configured Device to send all requests to the Linux box (pi) by adding its IP address with the URL www.example.com to Device's /etc/hosts file. Then I configured the Pi (Linux box) as a reverse proxy with the configuration below.

The first HTTP GET request still receives a redirect response, but in this case it redirects to the proxy with an http redirect (not https) and thereafter works with all traffic between Device and Linux box as http and all traffic between Linux box and Target server as https.

Assuming your Device can (a) be configured to send the relevant traffic to Linux box, and (b) process the redirect correctly, (if there is one) I think this should work for you.

One further thought. My Linux box (pi) is configured as the exposed host on my home LAN, so that it is Internet-accessible. This is the reason for the <Proxy *>...</Proxy> block. I am pretty sure that you don't need to expose the proxy server to the Internet to achieve your goal, but I haven't tested that scenario. If you keep the <Proxy> block in you may need to change the IP address block, depending on your network.

Code: Select all

# -----------------------------------------------------------------------------------------------
# Apache reverse proxy to forward http traffic as https for site example.com
# -----------------------------------------------------------------------------------------------

<VirtualHost *:80>
	ServerName www.example.com
	ServerAlias example.com

# Do the proxying
	ProxyPass        /  https://www.example.com/
	ProxyPassReverse /  https://www.example.com/

# We are proxying to an SSL site
	SSLProxyEngine on

# SECURITY: Limit access to this proxy by IP address block
	<Proxy *>
		Require ip 192.168
	</Proxy>

# Standard logging
	ErrorLog  ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

trejan
Posts: 136
Joined: Tue Jul 02, 2019 2:28 pm

Re: A way to redirect http traffic to https

Sun Jul 07, 2019 2:24 pm

stunnel will also do what you want.

User avatar
rpdom
Posts: 14476
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: A way to redirect http traffic to https

Sun Jul 07, 2019 2:55 pm

nigelbartlett1 wrote:
Sun Jul 07, 2019 9:08 am
I followed up rpdom's idea to use a reverse proxy and this worked.
Cool. More often a reverse proxy is used for the opposite reason: https access to a legacy http server, but it can work both ways. :)

bic
Posts: 11
Joined: Fri Nov 27, 2015 9:47 pm

Re: A way to redirect http traffic to https

Mon Jul 08, 2019 11:58 pm

Thanks for the follow up. I can get this to work with Apache for local client port 80 and server being https:443 also can get it to work say if i type in 192.168.1.x:9000 get it to https://www.example.com but as soon as i change the port in ProxyPass and ProxyPassReverse to port 8443 I can see with tcpdump the request on port 9000 but no activity on 8443.

bic
Posts: 11
Joined: Fri Nov 27, 2015 9:47 pm

Re: A way to redirect http traffic to https

Tue Jul 09, 2019 10:21 pm

I enables some mods am I missing any?
proxy
proxy_http
ssl

Soon as I do something like this i get nothing in tcpdump on port 8443

Code: Select all

ProxyPass        /  https://www.example.com:8443/
ProxyPassReverse /  https://www.example.com:8443/
SSLProxyEngine on
I also changed the ports in ports.conf from 443 to 8443. I would still like to get this working, for the knowledge, however I was able to get stunnel to achieve what I originally wanted to do for my project.

Return to “Networking and servers”