Re: [squid-users] Http works HTTPS gives cert errors. No errors in logs.

From: Marcus Kool <>
Date: Fri, 18 Oct 2013 22:27:23 -0300

I think "Blocking HTTPS-based sites" needs to be added to the FAQ:

Blocking HTTP is easy because the HTTP protocol has well-defined
response codes to do this.

HTTPS actually is SSL-wrapped HTTP and SSL does not allow any kind
of interference, redirection or manipulation and cannot be blocked like
HTTP is blocked. You might say "but we have sslbump!" Sslbump is
a man-in-the-middle attack which can be masqueraded by added a
fake root certificate to all browsers. The downside is that the HTTPS
sites are not secure any more since the Squid administrator has access
to the decrypted content when Sslbump is enabled. So SSL has a benefit
and a security issue. It is up to you to decide whether Sslbump is
appropriate for your environment or not. Sslbump in Squid 3.2
brakes Skype and other protocols using port 443, but I do not know
for sure if this is still the case for version 3.3 or 3.4.

Having said all this, HTTPS *can* be blocked, but not as elegantly
as HTTP can be blocked. When a HTTPS URL is redirected or the
network connection between the browser and Squid is terminated, the
URL is effectively blocked and the end user has a vague message in
the browser like "cannot connect to server/proxy".
ufdbGuard, an alternative for squidGuard, by default redirects a
blocked HTTPS URL to which
has a valid SSL certificate and therefore normally gives a
slightly more comprehensible message "I do not trust the SSL
certificate" error in the browser of the end user. The fact that
the new URL is "", is a hint to the
end user what is going on. In case that the end user ignores
the SSL certificate warning, the end user will see a readable
"Forbidden" message.

Note that the issue with blocking HTTPS-based sites is true
for _all_ web proxies simply because SSL does not allow redirects.


On 10/18/2013 05:20 PM, Derek Pinkston wrote:
> Maybe someone can answer this for me so I can definitively determine
> if Squid is still right for us. We have used squid and squidguard for
> years to block sites for parts of our company and restrict total
> access for other parts. However now that more and more sites are
> using https by default, the users who should not be surfing the
> internet are surfing through https... I thought that the newest
> versions of squid would easily remedy this, but so far that does not
> seem to be the case. Can squid+squid guard monitor and block https
> traffic without having to install certs on individual
> computers/browsers? I want this to be as un-intrusive as our previous
> setup was.
> I thought I read it was possible but I'm having an impossible time
> finding an article or wiki or anything that will tell you exactly how
> to accomplish this. Can anyone please help or suggest something that
> may work for my situation.
Received on Sat Oct 19 2013 - 01:27:29 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 19 2013 - 12:00:08 MDT