How to roll your own HTTPS-only service

Posted June 22, 2014 by David Redekop to Security

We want to see the world more secure and more private, so we are sharing with you some details on how we achieved it. This is how you can roll your own, especially if you already have an iptables-based firewall/router.

There are two components and some requirements to achieve this.

  1. Public landing page that re-directs http pages to https automatically.

    If you don’t want to setup your own, you’re welcome to use ours at

    107.178.208.232

    Our server at this IP address contains some code that attempts an SSL/TLS handshake on the incoming http host header, and automatically re-directs you within six seconds if it is successful. We have a published Privacy Policy so you can rest assured that we’re not logging this usage, except to scale it as necessary.

  2. Router configuration that captures/hijacks HTTP port 80 traffic and redirects it to the public landing page above. In our case, our firmware is based on OpenWRT which uses iptables as part of its core operating system. Any other iptables-based firewall (DD-WRT, pfSense or full-scale linux-based gateways) can likely use the same or similar iptables rule. Let’s say that the device you want to protect with an HTTPS-only profile has 192.168.11.2, you run and execute a rule like this:

    iptables -t nat -A prerouting_lan_rule -i br-lan -p tcp -s 192.168.11.2 --dport 80 -j DNAT --to 107.178.208.232:80

A few other considerations you want to make when doing this:

  • Your interface may not be br-lan, it could be eth1 or something else.
  • Any time you have a device-specific rule you want to make sure it becomes a DHCP reservation or assign the IP to the device statically.
  • For any purists out there, this is not a protocol-level checker, but rather a port 80 check only. If a web server runs at an alternate port (other than 80), this approach will not filter any port other than port 80.

It goes without saying that these additional considerations is what DNSthingy takes care of for you automatically. If a device changes its IP address from one day to another, the iptables rule is adjusted automatically. Likewise, if you turn this feature ON or OFF, the rule is added or deleted automatically.

Hopefully you’ve found this helpful. If I’ve missed anything, feel free to leave a comment.