[mythtv-users] Open Failed: No suitable proxy found

Leo Butler leo.butler at member.ams.org
Fri Mar 2 19:53:13 UTC 2018


"Brian J. Murrell" <brian at interlinx.bc.ca> writes:

> On Sat, 2018-03-03 at 03:53 +1300, Stephen Worthington wrote:
>> 
>> But you were talking about proxying an HTTPS URL.
>
> I assume you mean "not" above.  And sure, maybe one URL was http and
> not https, but that is just one example.  Proxy support has to work for
> all URLs, not just select ones.
>
>> And it is possible
>> to proxy HTTPS properly - you have use a proxy that has a proper
>> certificate and load that certificate into your certificate store.
>
> I don't consider launching MitM attacks on my users "proper".  
>
>> Since you are doing the man-in-the-middle
>> yourself, with proper certificates, the other end does not have any
>> problems with the connection and you are not creating a security
>> risk.
>
> Except that every client that comes into my network needs to install my
> CA-impersonating certificate and (some) systems will complain about
> having "untrusted" certificates installed:
>
> https://www.howtogeek.com/198811/ask-htg-whats-the-deal-with-androids-persistent-network-may-be-monitored-warning/
>
> I don't want to train my users to ignore security warnings.
>
> On another note, what a MitM-transparent-proxy is actually doing is
> impersonating a trusted CA due to one particular weakness of the CA
> system which is that any CA can generate any certificate for any domain
> name.  I am sure you have seen the many stories in the news about this
> happening and the repercussions to the security of SSL (in general) due
> to it.  It is understood as a serious enough problems that CAs lose
> their "trustworthiness" because of it and end up going out of business.
>
> But also the point of the seriousness of it is that there are solutions
> to the problem in general underway.  Certificate pinning was thought to
> be a solution but is being deprecated, but is still out there, in
> Chrome and other browsers for at least the near future.  In it's place
> is Certificate Transparency which achieves the same goal of alerting
> users to CA impersonation.  MitM-transparent-proxy is going to trigger
> certificate pinning an certificate transparency warnings/errors. 
> Again, not wanting to train my users to ignore such warnings.
>
> The bottom-line is that I am not really interested in the rigmarole of
> transparent proxies and would just like systems configured to use
> proxies to actually work.  I suspect that in the case of MythBE (and
> QT) systems this is just not going to happen.
>
> I have actually been re-considering the value of a proxy in my network
> with the ever-increasing movement towards HTTPS.  This might just be another vote in the "trash it" column.

If I understand your problem, you want to force mythbackend to use a
proxy server, and advising it using an environment variable is ignored.

Why not use iptables to forcibly redirect the traffic to the proxy?

Otherwise, with a suitable router, you could create a subnet B where you
do transparent proxying and put your BE on that subnet. Make a separate
subnet, A, where un-proxied users will be, and allow A <--> B traffic.

I've used both solutions in different contexts with apparent success.

----

Re: your concern about mitm and https. Wouldn't certificates issued by
https://letsencrypt.org/ solve your dilemma? I don't have any experience
here, I'm just wondering.

Leo


More information about the mythtv-users mailing list