Re: [squid-users] Squid transparent proxy issues with redirecting from HTTP to HTTPs

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 17 Mar 2012 03:08:38 +1300

On 17/03/2012 2:27 a.m., guest01 wrote:
> Hi guys,
>
> We are currently using our Squid (3.1.x) as transparent HTTP proxy
> (with dst nat). We also want to use our Squid as transparent HTTPs
> proxy, which works too, despite our Internet research in which we got
> many results for "transparent https proxying is not possible". I admit
> that there are some issues, but we only want to use it for our guest
> lan, not every site has to work. Unforuntately, there are many sites
> which start as HTTP-site and redirect to HTTPs before receiving login
> credentials (e.g. amazon) or just redirect (e.g.
> https://www.juniper.net/customers/csc/). In these situations, my
> firefox prints following error message: The page isn't redirecting
> properly. It seems Squid can't handle 302 (in transparent https mode?)
>
> https://www.juniper.net/customers/csc/
>
> GET /customers/csc/ HTTP/1.1
> Host: www.juniper.net
<snip>
> HTTP/1.0 302 Moved Temporarily
> Location: https://www.juniper.net/customers/csc/
<snip>

Notice how Squid is not identifying any difference between intercepted
HTTP and decrypted HTTPS.

> Can anybody offer a solution or how do you allow HTTPs in your guest
> (W)LANs? Direct connection or using proxy-scripts (WPAD,...)?

Add a name=X parameter to your http_port intercept port and use the
myportname ACL type to limit the redirect only to happen on requests
arriving via that port.

That will get the redirects going and then you face the actual blocker
problem...

  ... when you do HTTPS intercept on a guest how do you intend to
install your local CA on the guest browsers to prevent fake-certificate
warnings on every page load they do?
  SSL interception in Squid only supports the environments where the
browsers are configured to trust the local proxies CA. DMZ, Captive
Portals, and residential ISP type networks cannot do it without opening
themselves up to a range of legal issues.

Amos
Received on Fri Mar 16 2012 - 14:08:48 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 16 2012 - 12:00:04 MDT