Re: [squid-users] Transparent SSL Interception

From: Ahmed Talha Khan <auny87_at_gmail.com>
Date: Tue, 24 Apr 2012 15:23:16 +0500

You might want to look at
http://bugs.squid-cache.org/show_bug.cgi?id=2976. There was a
quick-fix which caused even more problems. This is a hard-coded value
that causes all requests to be forcibly written to "http" even
"https". You can reverse it via this patch
http://bugs.squid-cache.org/attachment.cgi?id=2375.

It should work.

The pain was all mine to debug it ;)

-talha

On Tue, Apr 24, 2012 at 3:03 PM, Neil <nwilson123_at_gmail.com> wrote:
> Hi guys and girls,
>
> I've been trying to setup a "transparent"(from the users side) SSL
> interception proxy, I realise this isn't advised as it's breaks SSL and
> voids any user privacy etc, but this is for a school that needs to be able
> to monitor and control social networking access for students and we've been
> asked to come up with a solution.
>
> The students bring in their own devices IPADS/tablets etc and these get
> assigned an IP via DHCP, port 443 and port 80 are then re-directed(using
> iptables) to squid.
>
> I'm using squid(3.1.19) with --enable-ssl and --enable-icap-client as well
> as all the usual options, my transparent HTTP proxying works perfectly so
> it's only the SSL side that doesn't work the way I've envisaged it would.
> EG: the proxy intercepts all SSL traffic and acts as the users PC would
> normally, and any certificate errors are hidden from the users device,
> because certain apps(apple.com) etc don't allow the users to accept
> certificate warnings.
>
> These are the relevant options from my squid.conf
>
> http_port 192.168.0.1:8080 intercept ssl-bump
> cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.pem
> https_port 192.168.0.1:8081 intercept
> cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.pem
>
> always_direct allow all
>
> acl broken_sites dstdomain .absa.co.za
> ssl_bump deny broken_sites
> ssl_bump allow all
>
> # ignore errors with certain cites (very dangerous!)
> acl TrustedName url_regex ^https://ib.absa.co.za/
> sslproxy_cert_error allow TrustedName
> sslproxy_cert_error deny all
>
> # ignore certain certificate errors (very dangerous!)
> acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow BadSite
> sslproxy_cert_error deny all
>
> The above might have word wrapped a bit.
>
>
> I've tried varying options like re-directing port 443 to my http_port and
> using "transparent" instead of "intercept", using "ssl-bump" on both the
> http_port and https_port as well as a whole ton of other options but nothing
> seems to make much of a difference. The best I can do is get https facebook
> to work transparently, but then I have major problems with most other SSL
> sites, the banking sites either complain about "redirecting in a way that
> will never finish" or they direct to another page which I'm guessing the
> remote webserver picks up some kind of SSL error and doesn't allow you to
> get in. As you can see in my config, I've tried to force "absa.co.za" to
> work no matter what happens but the ACLs haven't made any difference.
>
> Please could anyone provide me with some guidance, I seem to be going round
> in circles here.
>
> Thank you.
>
> Regards.
> Neil Wilson.

-- 
Regards,
-Ahmed Talha Khan
Received on Tue Apr 24 2012 - 10:23:23 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 24 2012 - 12:00:04 MDT