Re: [squid-users] Transparent proxy with HTTPS on freebsd

nyoman karna wrote:
> nope,
> you can NOT use transparent proxy for HTTPS.
>
> since using transparent proxy for HTTPS
> will be considered as man-in-the-middle attack.
>
> you probably may use PAC (as Amos suggested)
> but IMO it ruin the basic idea of using transparent proxy
> (which is user does not need to put any setting in their browser)

Not quite. WPAD can be used with PAC so users only have 'auto-detect' on
their browsers. The rest happens 'transparently' in one meaning of the term.

Amos

>
>
>
> --- On Wed, 4/29/09, goody goody <thinkodd_at_yahoo.com> wrote:
>
>> From: goody goody <thinkodd_at_yahoo.com>
>> Subject: Re: [squid-users] Transparent proxy with HTTPS on freebsd
>> To: squid-users_at_squid-cache.org
>> Cc: "Amos Jeffries" <squid3_at_treenet.co.nz>
>> Date: Wednesday, April 29, 2009, 7:30 AM
>>
>> Dear Amos,
>>
>> i say http works but https doesn't behind transparent proxy
>> (no proxy details specified in browser) and this is simply I
>> just want to achieve as some sites such as yahoo, gmail use
>> https to connect to.
>>
>> so if you guide my how can i configure squid to allow https
>> sites to connect behind transparent proxy.
>>
>> Further info regarding squid and bsd os is as follows.
>>
>> squid version info
>>
>> Squid Cache: Version 2.5.STABLE10
>> configure options: --enable-storeio=diskd,ufs
>> --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic
>> ntlm' --enable-wccp '--enable-removal-policies=heap lru'
>>
>> BSD OS Info
>>
>> FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30
>> 18:16:33 PKT 2007 root_at_xxx.abc.com.:/usr/src/sys/i386/compile/BSD-ROUTER
>> i386
>>
>> an early response would be very much appreciated.
>>
>> Regards,
>>
>>
>> --- On Wed, 4/29/09, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>
>>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>>> Subject: Re: [squid-users] Transparent proxy with
>> HTTPS on freebsd
>>> To: "abdul sami" <sami.memon_at_gmail.com>
>>> Cc: squid-users_at_squid-cache.org
>>> Date: Wednesday, April 29, 2009, 1:49 PM
>>> abdul sami wrote:
>>>> Dear all,
>>>>
>>>> subject settings doesn't work when i set the
>>> transparent proxy though
>>>> http traffic works. on analysis of traffic i have
>> come
>>> to know that
>>>> proxy doesn't add it's source address to https
>> traffic
>>> rather simply
>>>> forwards it with local net address to
>> gateway/firewall
>>> device which
>>>> ultimately drops the packets.
>>>>
>>>> any suggestion in shape of steps/article would
>> be
>>> highly appreciated.
>>>> Regards,
>>> Pardon?
>>> HTTPS being transparently intercepted (miracle
>> #1) and the
>>> users not phoning you about being attacked? (miracle
>> #2).
>>> HTTPS == HTTP via _secure_ SSL.
>>> transparent proxy == man-in-middle network attack on
>>> traffic.
>>>
>>> HTTPS was created to prevent transparent interception
>>> amongst other things. So yes I'm not surprised it
>> won't
>>> work.
>>>
>>> What are you trying to achieve with this?
>>>
>>> Amos
>>> -- Please be using
>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
>>> Current Beta Squid 3.1.0.7
>>>
>>
>>
>>
>
>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7