Is it possible a transparent https redirect ---> [http | https]?

Good day!

Interested in the possibility of forwarding the request on port 443 (https) on mine own resources, but with minor amendments.
You can do it with a firewall. But you need a self-signed certificate, which will turn up your nose all browsers. Generate and add the root certificate is not necessary.

When you need to request on 443 port as much as possible transparently (without swearing browsers on the certificate, install the root certificate and other things requiring any manipulation of the client device) to the client to wrap him up in a captive portal. Iptables [REDIRECT | DNAT] are not suitable, if not IntranetSSL (expensive solution). Squid SSL Bump as far as I understand it, also requires the installation of the root certificate.

Asking for help from more experienced and knowledgeable members of the community.
June 10th 19 at 15:18
1 answer
June 10th 19 at 15:20
Solution
The whole point of HTTPS is exactly that it would be impossible.
Then redirect at the initial stage, and not the introduction or the wire, is it the same thing? - eda_OConnell commented on June 10th 19 at 15:23
are one and the same. Redirect you can only send in response to the request, so you already saw what the client is requesting. And this is the introduction and wiretapping. - annie_Pagac commented on June 10th 19 at 15:26
No. If I remember correctly ciprocinal's not associated with http Protocol and as a consequence with the server responses.

The server picks up the full ciprocinal and within tional in response to a http request resource sends code 301 http://подти_туда.ру/ the browser does not have the right to refuse such redirection. - Sandra_Kautzer42 commented on June 10th 19 at 15:29
, Yes. So the author wants to replace the channel - annie_Pagac commented on June 10th 19 at 15:32
ciprocinal guarantees that the channel only you and the server, and no third parties can not penetrate.
With what reason not to believe the command server is not redirecting query ?? - Sandra_Kautzer42 commented on June 10th 19 at 15:35
, speech about the switch there. I want some way to transfer the client to want me to address. How this can be done and whether it is possible, I'm asking. I like everything described in the question. Maybe there are some implicit points in it? Tell me, I will correct. But initially was not the purpose of substituting. Only redirect (as a variant on domain name). At the level of the web server (301 and 302), at the level of iptables (REDIRECT and DNAT) or proxy. These are all ways or someone is faced with in other ways? - eda_OConnell commented on June 10th 19 at 15:38
I typed in the browser address https://google.com and waiting for a response from Google. You want instead, where for me redirecting. It is by definition a substitution of answer Google.
Fortunately HTTPS does not allow it. - annie_Pagac commented on June 10th 19 at 15:41
I understand you want to authorize on the website, in which authorization is not embedded ??
then such variant: the server where the client is knocking, put the authorization script that will, for example, to track avtorizirovan clients according to the cookies. ie there is no right of cookies are issued with a login window that has the correct cookies in the client request proximedia to the site without authorization ??
look for such script, known problem

redirect using iptables can ride if in addition to dnat snat to do more, well, sanchit right certificates - Sandra_Kautzer42 commented on June 10th 19 at 15:44
authorization in wifi network. Check the mac address. There is a set of authorized mac addresses, I allowed the Internet as it is. Those customers where there is no need to authorize and add to the set. If absent, the client tries to make a request for port 80 (http) on localhost is wrapped with the same iptables and do a http 302. This is no problem. There is a moment when not passed the procedure of authorization the client makes a request on port 443. Not using the installation of the root certificate, run smoothly, this procedure will not work. I want this moment to understand. I could be wrong, but it seems in some prepared foods there is. - eda_OConnell commented on June 10th 19 at 15:47
the author makes the standard captive portal

such as you want (no self-signed certificates without installing a root certificate to the client), and never can be. - annie_Pagac commented on June 10th 19 at 15:50
exactly. That is the flaw of all the decisions on this subject? - eda_OConnell commented on June 10th 19 at 15:53
https compares the field value Common name of the received certificate (it contains the name of the server) with the server in the request.
you naturally will not need certificates.
it's not a flaw - it is a means of protection against spoofing of addresses. - Sandra_Kautzer42 commented on June 10th 19 at 15:56
Thank you all for taking part. - eda_OConnell commented on June 10th 19 at 15:59

Find more questions by tags DebianFirewallProxyHTTPSLinux