MikroTik Hotspot HTTPS Redirect and HTTPS Login Setup

MikroTik Hotspot is one of the most popular services in MikroTik Router. It is a policy to authorize network clients before to access local network resources as well as public network resources through MikroTik Router. In my previous article I discussed MikroTik Hotspot Configuration using Winbox. But default MikroTik Hotspot configuration faces HTTPS Redirect and HTTPS Login issues. To solve these issues, MikroTik Hotspot HTTPS configuration is required. So, in this article I will discuss how to configure MikroTik Hotspot HTTPS to solve HTTPS Redirect and HTTPS Login issues.

MikroTik Hotspot HTTPS Redirect

When a Hotspot user browses any site from any browser before authentication, Hotspot will redirect the user to Hotspot login page and ask to authenticate. It is the default behavior of MikroTik Hotspot. But when a user browses HTTPS site, Hotspot does not redirect to the login page rather it will show secure connection error. It was not a problem a few years ago when all sites were HTTP. But recently all websites have been upgraded to HTTPS. So, HTTPS websites cause this problem. Configuring MikroTik Hotspot HTTPS, this issue can be solved.

MikroTik Hotspot HTTPS Login Page

By default MikroTik Hotspot provide HTTP login page but HTTP is not secure for login because HTTP transmits plain text data which can cause middle-man-attack issue and login credential can be leaked. So, HTTP login page can hamper business continuity. Configuring MikroTik Hotspot HTTPS, this issue can also be solved.

MikroTik Hotspot HTTPS Configuration

Data follow between a HTTP server and client is plain text. So, passing login credential over HTTP connection is never safe. So, it is always better to implement a HTTPS login page to Hotspot user.

Complete HTTPS configuration in MikroTik Hotspot Server can be divided into the following three steps.

• Creating SSL Certificate for HTTPS Server
• Enabling HTTPS in MikroTik Router
• Enabling HTTPS Redirect in MikroTik Hotspot

Step 1: Creating SSL Certificate for HTTPS Server

HTTPS Server requires SSL certificate for secure communication. MikroTik RouterOS v6 gives ability to create, store and manage certificates in certificate store. So, we will create required HTTPS Server certificate in MikroTik RouterOS. HTTPS Server requires two types of certificates:

• CA (Certification Authority) Certificate and
• Server Certificate

Creating CA certificate

MikroTik RouterOS provides a self-signed certificate and self-signed requires a CA (Certification Authority) Certificate to sign Server Certificate. The following steps will show how to create a CA certificate in MikroTik RouterOS.

• From Winbox, go to System > Certificates menu item and click on Certificates tab and then click on PLUS SIGN (+). New Certificate window will appear.
• Put CA certificate name (for example: CA) in Name input field and Common Name input field.
• You will find some optional fields in General tab. You can fill those if you wish. All fields are self-defined.
• Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign
• Click on Apply button and then click on Sign button. Sign window will appear now.
• Your created CA certificate template will appear in Certificate dropdown menu. Select your newly created certificate template if it is not selected.
• Put MikroTik Router’s LAN Gateway IP address or WAN IP address (example: 172.22.22.1) in CA CRL Host input field.
• Click on Sign button. Your Signed certificate will be created within few seconds.
• Click on OK button to close New Certificate window.
• If newly created CA certificate does not show T flag or Trusted property shows no, double click on your CA certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.

Creating Server Certificate

After creating CA certificate, we will now create Server Certificate that will be signed by the created CA. Server Certificate will be used by the HTTPS Server. The following steps will show how to create Server Certificate in MikroTik RouterOS.

• Click on PLUS SIGN (+) again. New Certificate window will appear.
• Put server certificate name (for example: Hotspot Server) in Name input field and Common Name input field.
• If you have put any optional field in CA certificate, put them here also.
• Click on Key Usage tab and uncheck all checkboxes except digital signature, key encipherment and tls server checkboxes.
• Click on Apply button and then click on Sign button. Sign window will appear now.
• Your newly created Server certificate template will appear in certificate dropdown menu. Select newly created certificate template if it is not selected.
• Also select CA certificate from CA dropdown menu.
• Click on Sign button. Your Signed certificate will be created within few seconds.
• Click on OK button to close New Certificate window.
• If newly created server certificate does not show T flag or Trusted property shows no, double click on your server certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.

We have successfully created required CA and Server Certificates. After creating and signing CA and Server certificates, the Certificate lists will look like the following image.

Step 2: Enabling HTTPS in MikroTik Router

After creating certificates, we will now enable HTTPS Server in MikroTik Router. The following steps will show how to enable HTTPS Server in MikroTik Router.

• From Winbox, go to IP > Services. IP Service List window will appear and you will find all available services are present here.
• Double click on www-ssl service. IP Service <www-ssl> window will appear.
• From Certificate drop down menu, choose Hotspot Server certificate that we have created in previous step.
• Click Apply and OK button.

Suggestion: it is better to disable HTTP (Port 80) service so that HTTP login page does not appear accidentally.

Step 3:  Enabling HTTPS Redirect in MikroTik Hotspot

After enabling HTTPS Server, we will now enable HTTPS Redirect in MikroTik Hotspot. The following steps will show how to enable HTTPS Redirect in MikroTik Hotspot Server.

• From Winbox, go to IP > Hotspot. Hotspot window will appear.
• From Hotspot window, click on Server Profiles tab and double click on your Server profile. Hotspot Server Profile window will appear.
• From Hotspot Server Profile window, click on Login tab.
• From Login By panel, click on HTTPS checkbox.
• From SSL Certificate drop down menu, choose Hotspot Server certificate that we have created at first step.
• Make sure HTTPS Redirect checkbox is checked.
• Click Apply and OK button.

HTTPS Redirect is now enabled in MikroTik Hotspot Server. Visit any HTTPS website before authentication and you will find the redirected HTTPS Login Page.

OPPS!!! I visit Facebook, YouTube or Google but HTTPS Login Page don’t appear. Why?

Because Facebook, YouTube and Google use HSTS (HTTP Strict Transport Security) and HTTPS Redirection is not possible to HSTS enabled websites that was visited before. In this case, use another HTTPS site such as https://systemzone.net or https://www.itechsheet.com or any other website that doesn’t use HSTS will redirect to HTTPS Login Page.

If you face any confusion to follow the above steps properly, watch the following video on MikroTik Hotspot HTTPS Redirect Configuration. I hope it will reduce your any confusion.

How to Configure HTTPS Redirect and HTTPS Login Page in MikroTik Hotspot has been discussed in this article. I hope you will now be able to configure HTTPS Redirect and HTTPS Login Page in your Hotspot Server. However, if you face any confusion to configure HTTPS Redirect and HTTPS Login Page, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.