[squid-users] Basic HTTPS filtering via CONNECT in Squid

[Amos Jeffries]

On 6/02/2017 6:10 p.m., Varun Singh wrote:
> Hi,
> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
> HTTP proxy server in transparent mode.
> I wanted to know whether it can be configured to run as HTTPS proxy
> server without ssl-bump i.e. without 'man in the middle attack'
> technique.

The Ubuntu package of squid/squid3 can tunnel CONNECT requests. That is
all. It has no support for anything more complicated.


> 
> I read the documentation page of HTTPS support. It says that when a
> browser comes across an HTTPS website, it opens a TCP tunnel through
> Squid to the origin server using CONNECT reuqest method.
> With this setting the server can filter URLs based on URL scheme, URL
> path and query string. The payload is still encrypted.

What documentation? it is wrong, or you are misunderstanding it. The URL
path?query is definitely *not* available without decrypting.

FWIW the squid wiki page on HTTPS documents all three of the
installation types that are all called "HTTPS".


> After that the documentation goes on to explain how can we use
> SSL-bump to decrypt the payload.
> 
> Now, I only want setup basic HTTPS proxy via CONNECT tunnel in which
> you can only filter URL path and string. I am not looking to setup
> SSL-bump but still want to setup Squid for HTTPS filtering. I'm not
> able to find a good tutorial for that.
> Every tutorial I have found points to setting up SSL-bump.

Because the only way to access more than hostname/IP and port is to decrypt.

Amos