2015-08-16 - Re: Connection through proxy

Header Data

From: Luis Alberto Guzman Garcia <l.***g@gmail.com>
Message Hash: 0fe3231c7434204f7b7b2c6480d6a7d509143e2b2108f78ae3e7139a7253be53
Message ID: <b7e00cc6-ff9f-49ca-ba5c-c0d34e745f6c@grasehotspot.org>
Reply To: <d382d1da-33a7-41e2-a106-cc38120914e7@grasehotspot.org>
UTC Datetime: 2015-08-16 22:50:55 UTC
Raw Date: Sun, 16 Aug 2015 22:50:55 -0700

Raw message 

I'm not any kind of developer i'm more like a *hobbyist*,so please be patient 


But as a result of several tests i resume the way i understand how it 
works, (please correct me if i'm wrong).

The proxy is responsible for managing the connections from the machine to 
the Internet (the outgoing network most of the time), it can filter, store, 
manage, do many wonderful things.

For enabling a transparent proxy we need another set of configurations, 
these are the iptables rules, these will route *automagically* all the 
traffic from users without needing to configure something, they may even 
not notice it 'coz it's done from another network layer(?).

Then we have the encrypted traffic, the SSL or 443 traffic, this is another 
different story, since the SSL support for a proxy (AFAIK) does brakes the 
purpose of the encrypted traffic, since it has to be de-encrypted, to be 
checked/filtered/storaged/modified according to the proxy rules, then 
re-encrypted to be sent to the final user, this requires the certs and 
other configurations from the device connecting.
It's very much like a man in the middle attack, so then we need to be 
careful about it and the laws in out state, region, country if applicable.

Then as i read, you have installed Grase Hotspot on a *buntu 12.04 box, 
which is the release that i use for all my research.

If i understand correctly, the configurations that you download allow to 
configure the SSL traffic part on let's call it *main network*, then you 
use GRASE for the captive portal reason so people on a wireless device can 
easily get the required set of configurations to get to the *main network*, 
but since your Internet access has been already filtered/*proxied* you 
can't download the configurations files.

I think that if you match your *buntu box proxy configuration with your 
higher proxy device, using a *transparent proxy and a non-ssl site* then it 
is possible for your students/clients to access the configurations file(s), 
download them and then surf with the new configuration files to the *main 
network* and get Internet access.

But if you try to use a SSL site the you need to configure 2 layers of 
proxies, the GRASE one and then the one that feeds Internet/gateway to your 
GRASE hotspot, wich will result in a PITA.

I've been using GRASE for not longer than a week, i haven't have the time 
to test it out completely, but i see that it has this packages

grase-conf-squid3-3.3
grase-conf-squid3-3.1

So is my sincere opinion that it must be easier than expected to set a 
transparent proxy that match the *main network* proxy configuration in 
order to be able to get the files needed to configure your new users fixed 
internet network.

If i'm wrong or if i loose the point of the question please let me know :)

Cheers!

PS. English is not my mother language so please excuse if it reads a little 
bit weird :)
--
Luis


El martes, 4 de agosto de 2015, 22:05:30 (UTC-5), Brett escribió:
>
> Hi
>
> Have just set up 3.8 on Ubuntu 12.x (decided to try it this way first 
> rather than install 14+). Works great however as a school we have an issue 
> we need to solve. We are using it to allow students to connect to a Meraki 
> based MDM and configure their own wireless. So certainly students can 
> connect to the Grase Hotspot server and login but cannot access the wider 
> internet as we are behind a proxy.
>
> Our schools proxy setup for general student use is an ISA box which 
> requires authentication. We also have access to an external proxy provided 
> by the isp (netspace) which requires special authorization (ie credentials 
> which are manually entered and not for public release)
>
> I can get a student iPad without a problem to locate the landing page and 
> login, however to proceed further students would have to go into the 
> settings for the wireless network point, add an IP for the proxy and a port 
> and then add in their network credentials to connect to the Meraki MDM and 
> install certs and profiles. They would then need to disable this proxy 
> setup and return to the http:/logout page to logout. You can see this would 
> be a problematic procedure for students as a self service connection system.
>
> So my question is there anyway to connect the hotspot internet via our 
> proxy so that it is transparent to students but credentials are stored on 
> the server running Grase?(and not exposed to students)
>
>  I'd hoped that Grase might pick up system wide proxies set as an 
> environment variable but it seems not so. Really keen for some help as we 
> have come this far and the kiosk appears otherwise to do precisely what we 
> need (thank you!!)
>
> TIA Brett
>
>

Thread