Re: HTTP shimmed to HTTPS; was Re: stunnel as transparent proxy.

[Reco <recoverym4n@enotuniq.net>]

On Wed, Jul 17, 2019 at 02:32:28PM -0700, peter@easthope.ca wrote:
> > stunnel(1) mentions helpfully that you're required to have  a certain
> > netfilter setup (mainly involving DNAT in your case), ... 
> > If you need to transform outbound HTTP requests to HTTPS to multiple
> > hosts ...
> 
> Yes, I have a Web browser capable of HTTP and not HTTPS. The immediate 
> objective is that the browser requests 
> https://en.wikipedia.org/wiki/Network_socket , for example, the 
> communication is TLS encrypted and issued to the original address.  
> The returned packets should be decrypted.  Should work for any address 
> of course but no address translation.  Shim might describe the action 
> better than proxy.

stunnel is unsuitable for such task.

>                                                                                                                                                        
> > you'll probably need squid/haproxy/nginx/whatever.
> 
> Never used any of these.  "/" means "or"?

Yes, it meant "or".
You need a specific kind of forward proxy, capable of transforming
HTTP to HTTPS (to do actual requests) and back (to send'em to a
browser).

> Shorewall is working here. If that can apply TLS, good.

No it cannot. Shorewall is a frontend to netfilter kernel subsystem.
It can do all kinds of things as long as they do not exceed L4 (as in
OSI L4, transport layer). What you want to do is to apply a
transformation to L7 (application layer), and that's something that
netfilter cannot do.

> What is the simplest package that can provide this?

For a bunch of sites - apache or nginx.
For the whole Internet - *maybe* (and that's a big one) squid can do the
job. Most probably you'll need a very creative usage of ProxHTTPSProxy
(not in Debian) or its equivalent.

Reco