3

I would like to setup a filtering mechanism for certain websites I use, including the ones served over https.

Privoxy provides this functionality, but only over http.

I'm pretty comfortable around programming and system management, but when it comes to hardcore networking my knowledge and experience lacks a little.

I found this question/answer which seems to address the https problem by tunneling traffic using STunnel.

I have issues placing some of the concepts that come into play. Is it possible to set this (meaning "creating the ability to use a custom Privoxy filter (not just blocking, really altering content) on HTTPS traffic) up on a single machine running Windows? I mean would that then act as both the STunnel client/server and the Privoxy proxyserver?

Any guidance would be greatly appreciated!

ropstah
  • 361
  • 3
  • 14
  • 1
    I've used nginx as a web proxy before. The configuration is easy and I think on a question in stackoverflow, though I forgot where. Setup the SSL cert on nginx and send all requests to the server, and host it locally where nginx can reverse proxy it. You can add the client ip or whatever you want from the request to the headers and change the content on the server. – rassa45 Dec 17 '17 at 17:29
  • @ytpillai - i don't understand this... Let's say I setup `nginx` in a Docker container on my local machine. Should I then configure the local machine to use the exposed endpoint/port on the Docker machine (pointing to nginx) as a proxyserver? Where does `Privoxy` come into play here? – ropstah Dec 17 '17 at 17:34

2 Answers2

4

I think nginx is your answer. http://nginx.org/en/docs/windows.html

You can setup your SSL cert on there and have all clients connect to it. Then just reverse proxy the request to local host (no need for ssl here since its just local), and add client headers onto the local request.

Clients can tunnel into nginx (which is technically a web server in itself) and nginx will reverse proxy domains or ips as necessary.

Then you can use https://github.com/justcoding121/Titanium-Web-Proxy as a traffic interceptor and send all traffic to it.

rassa45
  • 205
  • 1
  • 8
  • Just added a comment, I can also install `nginx` for Windows I see. But then what? Where does `Privoxy` come into play here? What should I set as proxy server in my Windows Network Configuration? – ropstah Dec 17 '17 at 17:35
  • 1
    Don't think you need Privoxy here since nginx itself can act as your reverse proxy. Looks like your best approach is whitelisting certain protocols and websites, so you can set your reverse proxy rules to allow only certain locations and protocols and deny everything else (default rule config equivalent to default deny all). Not necessary to have a separate proxy server unless you want to filter egress traffic too. Then you can have a physical pfsense firewall setup as a bridge for your network to your machine and make it the proxy server. – rassa45 Dec 17 '17 at 17:38
  • 1
    Nginx can proxy a request and a response to a specified location, and that seems to be what you have requested. And yes, just read the other comment, only nginx should be exposed. Keep in mind that the most, most secure solution is always a physical firewall if you are worried about malware ridden traffic too, since those are specifically built for that purpose. – rassa45 Dec 17 '17 at 17:42
  • The thing is that `Privoxy` provides functionality to 'match' certain hosts/urls through patterns and apply filters (Perl script regex replacements) on responses it serves back. You seem way more literate on networking than myself so I'm going to assume `Nginx` can either "transform" responses from a `https` connection or forward those to `Privoxy` again to do the transformation. Hopefully the configuration for each of these 'services' will speak for itself (regarding the request pipeline) because I really have no idea on why this works and why Privoxy doesn't support `https` transformations.. – ropstah Dec 17 '17 at 18:20
  • Just to make sure, is this what's going on: `Nginx` forwards incoming `https` requests and returns those as `http` responses? – ropstah Dec 17 '17 at 18:35
  • So essentially, nginx is acting as a bridge between the client and the server. Client connects to nginx via https, nginx clones the same request and sends it to local server if reverse proxying via http , then receives the response via http and sends to client via https. I'm suggesting it as an alternative to Privoxy because it supports all the features you mentioned you need. For example for matching hosts and URLs, nginx has a search syntax in its location property of a rule. – rassa45 Dec 17 '17 at 18:47
  • If you want to serve just a normal index.HTML or php file, then type in the root folder and filename of the entry point. This should help https://www.digitalocean.com/community/tutorials/understanding-nginx-server-and-location-block-selection-algorithms – rassa45 Dec 17 '17 at 18:47
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/70404/discussion-between-ropstah-and-ytpillai). – ropstah Dec 17 '17 at 18:51
  • just to make sure: I don't want to "serve" any files or data, just proxy. When I make a request using a browser to e.g. `https://google.com` it should be transformed before it gets sent back to the browser. – ropstah Dec 17 '17 at 18:57
  • As discussed in the chat, `nginx` is not neccessarily the solution but your lead to `https://github.com/justcoding121/Titanium-Web-Proxy` helps me to get a little further. To be continued! – ropstah Dec 17 '17 at 19:30
0

Privoxy can filter SSL (https) after a fashion. See Privoxy FAQ on SSL.

cstanke
  • 1
  • 1
    Welcome to Super User! Whilst the link may provide an answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential information for the answer here, and provide the link for reference. Thanks! – bertieb Aug 28 '18 at 17:30