Re: [squid-users] Squid transparent with single interface (https)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 26 Jan 2012 17:03:52 +1300

On 26/01/2012 8:04 a.m., Javier wrote:
> Hello ...
> I have a squid proxy server 3.1 with a single interface and would like to
> become transparent proxy, but the issue is https traffic, which would have
> to put in the transparent squid iptables to allow this traffic? is this
> possible? Sorry for the language

Best practice is to avoid interception (aka "transparent proxy") as much
as possible. Difficulty with HTTPS is just one of many problems it
creates. Use WPAD (web proxy auto-discovery) instead. It is tranpsarent
from the users perspective and avoids *all* the interception problems in
one relatively easy setup.
   
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatic_Configuration

To *allow* the HTTPS traffic you do nothing. It is not sent by iptables
to Squid at all unless you make it happen. The regular routing and
firewall permit/deny rules control whether clients are allowed to use
HTTPS straight to "HTTP Secured" websites.

Browsers and other clients which are aware of the proxy (ie due to WPAD)
will send their HTTPS traffic to it in a form which Squid can handle.
Possibly using "ssl-bump" to reach inside the encryption if you need it to.

If you are in fact asking how to break in and decrypt the secured
traffic with an intercepting proxy. Be aware that SSL part of HTTPS was
designed specifically to prevent this type of interception working
silently. Current releases of 3.1 can technically decrypt the
intercepted SSL arriving at a intercept mode https_port, but at cost of
clients getting an ongoing series of SSL security warnings popping up to
tell them about your bad behaviour (did I mention its designed not to
permit silent decryption?). Squid-3.2 has a dynamic cert generator
ability to reduce the warning popups in a lot of situations. But its
still not completely silent.

Amos
Received on Thu Jan 26 2012 - 04:04:01 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 26 2012 - 12:00:03 MST