[squid-users] squid module to "simulate" CONNECT setup to facilitate intercepted https

Mark Carey mark.carey at gmail.com
Mon Nov 9 06:33:59 UTC 2015


Squid has some great features for traffic managament policy and accounting.

The web is moving more and more to https which negates squids
advantages in caching.  I know that squid can not transparently proxy
https - i've run squid in intercept mode and pointed https traffic at
it and watched the rubbish that fills the logs.

Squid remains a great platform for centralising site policy in regards
to access and accounting for web traffic (even if it is only total
bytes to/from a host).  Replicating such policy is a pain in the
backside (try using iptables for domain wide rules, or reliable user
agent matching).

What I am interested in is whether there is or ever was a squid module that;

1. is suitable for running in intercept mode

2. maintains a list of active https connections

3. checks the acls to see if access is permitted, to the extent
permitted by https, so some checks would need to pass through lack of
sufficient information

4. when a new https connection is intercepted (internally fakes the
setup of a CONNECT tunnel)

5. if permitted and a suitable CONNECT tunnel exists shovels bits back
and forward like a traditional non intercepted proxy

6. if not returns icmp host unreachable

7. accounts for traffic in the same way as squid would in a configured
proxy setup

Has anyone tried this?  Or is the answer download the source and
patches welcome?

Thank you.

Mark Carey

More information about the squid-users mailing list