Re: [squid-users] Http works HTTPS gives cert errors. No errors in logs.

From: Alex Rousskov <>
Date: Fri, 18 Oct 2013 18:32:24 -0600

On 10/18/2013 02:20 PM, Derek Pinkston wrote:

> Maybe someone can answer this for me so I can definitively determine
> if Squid is still right for us. We have used squid and squidguard for
> years to block sites for parts of our company and restrict total
> access for other parts. However now that more and more sites are
> using https by default, the users who should not be surfing the
> internet are surfing through https... I thought that the newest
> versions of squid would easily remedy this, but so far that does not
> seem to be the case.

By default, no Squid version tries to decrypt HTTPS connections. Recent
Squid versions have SslBump feature that can be used to decrypt HTTPS
connections. Without decryption, most URL filtering will work poorly and
content filtering will not work at all.

> Can squid+squid guard monitor and block https
> traffic without having to install certs on individual
> computers/browsers?

In short, no. Technically, you can block HTTPS traffic from/to a list of
IP addresses and sometimes host names, but such blocking will have to be
done very early in the HTTPS transaction lifetime, when very little
information is available. Intended URLs are not available, for example.
I do not know whether Squid Guard even has access to the transaction at
that early stage.

> I want this to be as un-intrusive as our previous setup was.

You can keep in unintrusive, but then you cannot police HTTPS. Pick your
poison. BTW, this is not specific to Squid. Any proxy would offer you a
similar trade-off (although some might do a better or worse job of HTTPS
filtering based on IP addresses alone).


Received on Sat Oct 19 2013 - 00:32:38 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 19 2013 - 12:00:08 MDT