[squid-users] Basic HTTPS filtering via CONNECT in Squid

Varun Singh varun.singh at gslab.com
Mon Feb 6 13:46:07 UTC 2017 

On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 6/02/2017 6:10 p.m., Varun Singh wrote:
>> Hi,
>> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
>> HTTP proxy server in transparent mode.
>> I wanted to know whether it can be configured to run as HTTPS proxy
>> server without ssl-bump i.e. without 'man in the middle attack'
>> technique.
>
> The Ubuntu package of squid/squid3 can tunnel CONNECT requests. That is
> all. It has no support for anything more complicated.
>
>
>>
>> I read the documentation page of HTTPS support. It says that when a
>> browser comes across an HTTPS website, it opens a TCP tunnel through
>> Squid to the origin server using CONNECT reuqest method.
>> With this setting the server can filter URLs based on URL scheme, URL
>> path and query string. The payload is still encrypted.
>
> What documentation? it is wrong, or you are misunderstanding it. The URL
> path?query is definitely *not* available without decrypting.
>
> FWIW the squid wiki page on HTTPS documents all three of the
> installation types that are all called "HTTPS".
>
>
>> After that the documentation goes on to explain how can we use
>> SSL-bump to decrypt the payload.
>>
>> Now, I only want setup basic HTTPS proxy via CONNECT tunnel in which
>> you can only filter URL path and string. I am not looking to setup
>> SSL-bump but still want to setup Squid for HTTPS filtering. I'm not
>> able to find a good tutorial for that.
>> Every tutorial I have found points to setting up SSL-bump.
>
> Because the only way to access more than hostname/IP and port is to decrypt.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Hi,
Please find my reply inline:

> What documentation? it is wrong, or you are misunderstanding it. The URL
> path?query is definitely *not* available without decrypting.
>

Correct, I mis-read it.


> Because the only way to access more than hostname/IP and port is to decrypt.

Okay. In that, case I am okay with only being able to see hostname/IP and port.
But whenever I search for setting up HTTPS with Squid, I always come
across SSL-bump.
Could you point me to a tutorial which perform just basic HTTPS setup?

What I have tried so far is, configuring Squid to listen to port 3129
to expect HTTPS traffic. I did this by adding following line to
squid.conf:

https_port 3129

Once this was done, I redirected all the traffic coming to port 443 to
port 3129 using iptables. This is because my clients connect to proxy
via VPN.
But this had no effect. After connecting clients to proxy, when I try
to access an HTTPS website, the clients get no response and nothing
shows in access.log file. The browser behaves as if it could not
connect to internet.

Please note that this setup works perfectly for HTTP requests. Only
HTTPS requests give problems.



FYI, by documentation I was referring to below link:
http://wiki.squid-cache.org/Features/HTTPS


-- 
Regards,
Varun

More information about the squid-users mailing list