lancache https spoofing

[Poet129]

I have setup a lancache server Setup and I would like to know how to setup "https spoofing" so I can use this with https... Please help thanks in advance.

[brwainer]

58 minutes ago, Poet129 said:

I have setup a lancache server Setup and I would like to know how to setup "https spoofing" so I can use this with https... Please help thanks in advance.

As long as you use a private IP address for the cache itself (as explained here http://lancache.net/docs/common-issues/#non-rfc1918-ip-ranges) all of the major game clients will fall back to HTTP. The only way to do a true/full HTTPS intercept, is to generate your own root certificate and manually import it into every client which would be behind the cache. Then there would be other changes needed to disable the SNI Proxy (which normally forwards the HTTPS traffic to its intended destination) and make the caching proxy work on HTTPS as well. There are many downsides from a security perspective in doing this, because all of the client devices would no longer be able to verify whether a website has been hijacked or not (since you are effectively hijacking all websites). Given the small number of game clients this effects (I thought there was one remaining, but my research indicated that as of May 2019 there wasn't any major service affected), the security risk, and the fact that you have to modify *every* client which would be redirected by DNS to the caching server, it isn't worth it to nearly anyone - which is why there is not ready made instructions for it.

 

Edit: Correction, looks like Origin was using HTTPS from July 2019 until about a month ago. That is the one I was thinking of, because I had tested and used the lancache.net monolithic container for a LAN right a little over a month ago.

[Poet129]

I realize this but for my setup it would be very useful to have.

[Poet129]

14 minutes ago, brwainer said:

As long as you use a private IP address for the cache itself (as explained here http://lancache.net/docs/common-issues/#non-rfc1918-ip-ranges) all of the major game clients will fall back to HTTP. The only way to do a true/full HTTPS intercept, is to generate your own root certificate and manually import it into every client which would be behind the cache. Then there would be other changes needed to disable the SNI Proxy (which normally forwards the HTTPS traffic to its intended destination) and make the caching proxy work on HTTPS as well. There are many downsides from a security perspective in doing this, because all of the client devices would no longer be able to verify whether a website has been hijacked or not (since you are effectively hijacking all websites). Given the small number of game clients this effects (I thought there was one remaining, but my research indicated that as of May 2019 there wasn't any major service affected), the security risk, and the fact that you have to modify *every* client which would be redirected by DNS to the caching server, it isn't worth it to nearly anyone - which is why there is not ready made instructions for it.

 

Edit: Correction, looks like Origin was using HTTPS from July 2019 until about a month ago. That is the one I was thinking of, because I had tested and used the lancache.net monolithic container for a LAN right a little over a month ago.

 

3 minutes ago, Poet129 said:

I realize this but for my setup it would be very useful to have.

Is there any information on how to do this?

[brwainer]

8 minutes ago, Poet129 said:

 

Is there any information on how to do this?

I've never wanted to look it up, so I have no idea. I suspect you'll have to learn how the proxy actually works (how nginx is set up) and do research on HTTPS interception. The rare cases where HTTPS interception is used that you should be able to find information about is for companies that want to inspect all traffic in their firewall - but usually that is done with enterprise solutions not DIY.

[Alex Atkin UK]

 

[Poet129]

Is there a tutorial for https spoofing anywhere, even slightly outdated?