Hey all,
I’m trying to figure out the best way to configure pfSense to redirect all requests to amazon.com to smile.amazon.com. Is there an easy way to accomplish this?
Much appreciated!
My knowledge on that topic is definitely not exhaustive, but as far as I know there is no way to do what you are asking that doesn’t require terminating the TLS connection at a proxy (HAproxy, squid, etc.) and therefore needing to install certificates on all clients.
This thread explains why you cannot go around decrypting the traffic when you want to make redirects.
Since the hostname is unencrypted due to SNI, requests to amazon.com can be detected by a proxy and the destination IP rewritten to one of smile.amazon.com’s addresses. But that doesn’t change the Host http header of the request, so the smile.amazon.com server will receive a request for amazon.com which it won’t know how to answer.
I agree with @paolo here. You’d need a forward proxy that could change the domain, but depending on how Amazon does their certs it probably won’t work.
Amazon uses HSTS and Cert Pinning so if your browser is expecting a cert to come from www.amazon.com then it won’t accept a cert from smile.amazon.com
But then you still have the issue of the HTTP header. www.amazon.com will receive a GET request for smile.amazon.com which it won’t know what to do with (probably).
Your better option is to download a browser extension to do this automatically.