[squid-users] Basic HTTPS filtering via CONNECT in Squid

Varun Singh varun.singh at gslab.com
Mon Feb 6 05:10:03 UTC 2017

I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
HTTP proxy server in transparent mode.
I wanted to know whether it can be configured to run as HTTPS proxy
server without ssl-bump i.e. without 'man in the middle attack'

I read the documentation page of HTTPS support. It says that when a
browser comes across an HTTPS website, it opens a TCP tunnel through
Squid to the origin server using CONNECT reuqest method.
With this setting the server can filter URLs based on URL scheme, URL
path and query string. The payload is still encrypted.
After that the documentation goes on to explain how can we use
SSL-bump to decrypt the payload.

Now, I only want setup basic HTTPS proxy via CONNECT tunnel in which
you can only filter URL path and string. I am not looking to setup
SSL-bump but still want to setup Squid for HTTPS filtering. I'm not
able to find a good tutorial for that.
Every tutorial I have found points to setting up SSL-bump.

If any of you have done a setup like this before please help me.

Following is my squid configuration:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl blockads url_regex "/usr/local/squid/easylist"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny blockads
http_access allow all
http_port 3128 transparent
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern . 0 20% 4320


More information about the squid-users mailing list