Fork me on GitHub
security, tutorial, v0.1

HTTP Traffic Redirection v0.1

Nowadays, navigating the Internet with an oudated version of a browser could be harmful to your computer as many malwares spread by exploiting vulnerabilities in browers.

With Haka, we can avoid such attacks. The idea is simple and consists in redirecting http requests issued by outdated browsers by modifying the http content on the fly.

We need to create a group named 'safe_update' with two rules:

  1. The first rule will only authorise http traffic to update servers (e.g. mozilla.org). This is done by checking the 'Host' header.
    2. safe_update:rule{
    hooks = { 'http-response' },
    eval = function (self, http)
	local host = http.request.headers['Host'] or ''
	for _, dom in ipairs(update_domains) do
	    if string.find(host, dom) then
		haka.log("Filter", "Requesting an update domain")
		return true
	    end
	end
    end
}
  2. The second rule will redirect requests to an update server if the 'User-Agent' header is detected as obsolete. This rule shows Haka capabilities to modify http headers response on the fly in order to redirect requests.
    3. safe_update:rule{
    hooks = { 'http-response' },
    eval = function (self, http)
	local UA = http.request.headers["User-Agent"] or "No User-Agent header"
	haka.log("Filter", "UA detected: %s", UA)
	local FF_UA = (string.find(UA, "Firefox/"))

	if FF_UA then -- Firefox was detected
	    local version = tonumber(string.sub(UA, FF_UA+8))
	    if not version or version < last_firefox_version then
		haka.alert{
		    description= "Firefox is outdated, please upgrade",
		    severity= 'medium'
		}
		-- redirect browser to a safe place where updates will be made
		http.response.status = "307"
		http.response.reason = "Moved Temporarily"
		http.response.headers["Content-Length"] = "0"
		http.response.headers["Location"] = firefox_web_site
		http.response.headers["Server"] = "A patchy server"
		http.response.headers["Connection"] = "Close"
		http.response.headers["Proxy-Connection"] = "Close"
		-- dump the response for illustrative purpose
		http.response:dump()
	    end
	else
	    haka.log("Filter", "Unknown or missing User-Agent")
	end
    end
}

Refer to the filter tutorial to see the full script.