Setting Up a Transparent Proxy for HTTPS Decryption and certain API Block

Started by vivekmauli14, December 11, 2024, 10:31:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 11, 2024, 10:31:21 AM
Hello everyone,

I'm currently working on a project where I need to set up a transparent proxy to intercept and decrypt HTTPS traffic. My goal is to analyze and block specific API calls in applications, such as preventing LinkedIn's file upload API calls, to achieve custom packet filtering.

What I've Tried So Far
1. Squid Proxy
I attempted to use Squid with SSL bumping to handle decryption and filtering. While it worked initially, I ran into endless segmentation faults (segfaults) and other stability issues.

2. Privoxy
I also tried using Privoxy for filtering, but it didn't meet my needs either—it lacked proper support for HTTPS traffic handling and wasn't reliable for my use case.

Current Approach

Due to these challenges, I'm exploring the idea of building a custom Python-based transparent proxy. Here's the implementation plan:

Intercepting Traffic: Use a Python proxy server (e.g., mitmproxy or a custom implementation) to intercept HTTP/HTTPS traffic. Configure the OPNsense firewall to redirect traffic from LAN devices to this proxy.

Decrypting Traffic: Utilize OPNsense's built-in Certificate Authority (CA) to generate a trusted root certificate for SSL decryption. Install the root CA on client devices to enable seamless HTTPS decryption in the proxy.

Analyzing and Blocking: Inspect traffic to identify specific API calls (e.g., LinkedIn file uploads).
Use filtering rules to block unwanted API requests selectively while allowing other traffic.

Traffic Forwarding to Suricata: Pass decrypted traffic to Suricata for deep packet inspection (DPI) and rule-based filtering. Write custom Suricata rules to block traffic matching specific patterns or endpoints.

I want guidance from the community on:

a. Are there any pitfalls or challenges with this method that I should be aware of?
b. Can a Python-based proxy handle moderate traffic loads effectively, or should I consider alternative technologies?
c. Are there better tools or frameworks for achieving transparent proxying, decryption, and custom API filtering?
Looking forward to your response.
Thanks!

Best,
VivekSP
Print
Go Up Pages1
User actions