Re: [squid-users] Transparent proxy with HTTPS on freebsd

From: Stefan Hartmann <hartm_at_odn.de>
Date: Wed, 29 Apr 2009 16:03:51 +0200

Goody,

if you simply want to have http and https go through the same unix box,
you can use squid for http and a port forwarding (for example using
iptables) for https.

Regards,
Stefan

nyoman karna wrote:
> nope,
> you can NOT use transparent proxy for HTTPS.
>
> since using transparent proxy for HTTPS
> will be considered as man-in-the-middle attack.
>
> you probably may use PAC (as Amos suggested)
> but IMO it ruin the basic idea of using transparent proxy
> (which is user does not need to put any setting in their browser)
>
> ------------------------
> Nyoman Bogi Aditya Karna
> IM Telkom
> http://www.imtelkom.ac.id
> ------------------------
>
>
>
> --- On Wed, 4/29/09, goody goody <thinkodd_at_yahoo.com> wrote:
>
>> From: goody goody <thinkodd_at_yahoo.com>
>> Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd
>> To: squid-users_at_squid-cache.org
>> Cc: "Amos Jeffries" <squid3_at_treenet.co.nz>
>> Date: Wednesday, April 29, 2009, 7:30 AM
>>
>> Dear Amos,
>>
>> i say http works but https doesn't behind transparent proxy
>> (no proxy details specified in browser) and this is simply I
>> just want to achieve as some sites such as yahoo, gmail use
>> https to connect to.
>>
>> so if you guide my how can i configure squid to allow https
>> sites to connect behind transparent proxy.
>>
>> Further info regarding squid and bsd os is as follows.
>>
>> squid version info
>>
>> Squid Cache: Version 2.5.STABLE10
>> configure options: --enable-storeio=diskd,ufs
>> --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic
>> ntlm' --enable-wccp '--enable-removal-policies=heap lru'
>>
>> BSD OS Info
>>
>> FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30
>> 18:16:33 PKT 2007 root_at_xxx.abc.com.:/usr/src/sys/i386/compile/BSD-ROUTER
>> i386
>>
>> an early response would be very much appreciated.
>>
>> Regards,
>>
>>
>> --- On Wed, 4/29/09, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>
>>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>>> Subject: Re: [squid-users] Transparent proxy with
>> HTTPS on freebsd
>>> To: "abdul sami" <sami.memon_at_gmail.com>
>>> Cc: squid-users_at_squid-cache.org
>>> Date: Wednesday, April 29, 2009, 1:49 PM
>>> abdul sami wrote:
>>>> Dear all,
>>>>
>>>> subject settings doesn't work when i set the
>>> transparent proxy though
>>>> http traffic works. on analysis of traffic i have
>> come
>>> to know that
>>>> proxy doesn't add it's source address to https
>> traffic
>>> rather simply
>>>> forwards it with local net address to
>> gateway/firewall
>>> device which
>>>> ultimately drops the packets.
>>>>
>>>> any suggestion in shape of steps/article would
>> be
>>> highly appreciated.
>>>> Regards,
>>> Pardon?
>>> HTTPS being transparently intercepted (miracle
>> #1) and the
>>> users not phoning you about being attacked? (miracle
>> #2).
>>> HTTPS == HTTP via _secure_ SSL.
>>> transparent proxy == man-in-middle network attack on
>>> traffic.
>>>
>>> HTTPS was created to prevent transparent interception
>>> amongst other things. So yes I'm not surprised it
>> won't
>>> work.
>>>
>>> What are you trying to achieve with this?
>>>
>>> Amos
>>> -- Please be using
>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
>>> Current Beta Squid 3.1.0.7
>>>
>>
>>
>>
>
>
>
>
>

-- 
09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0
---
OnlineDienst Nordbayern   | http://www.odn.de/    | Internet-Systemhaus
GmbH & Co.KG              | E-Mail: hartm_at_odn.de  | Hosting, Housing
Steinstr. 19              | Tel: 0911 / 933877-0  | Consulting, VoIP
90419 Nuernberg - Germany | Fax: 0911 / 933877-55 | Programmierung
GF Christiane Teichgräber | AG Nürnberg HRA 13304 |

Received on Wed Apr 29 2009 - 14:04:05 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 29 2009 - 12:00:03 MDT