[squid-users] Basic HTTPS filtering via CONNECT in Squid

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 6 22:18:36 UTC 2017

On 7/02/2017 2:46 a.m., Varun Singh wrote:
> On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries wrote:
> Hi,
> Please find my reply inline:
>> What documentation? it is wrong, or you are misunderstanding it. The URL
>> path?query is definitely *not* available without decrypting.
> Correct, I mis-read it.
>> Because the only way to access more than hostname/IP and port is to decrypt.
> Okay. In that, case I am okay with only being able to see hostname/IP and port.
> But whenever I search for setting up HTTPS with Squid, I always come
> across SSL-bump.
> Could you point me to a tutorial which perform just basic HTTPS setup?

The Squid default config handles as much of HTTPS as can be handled
without the SSL-Bump feature.

> What I have tried so far is, configuring Squid to listen to port 3129
> to expect HTTPS traffic. I did this by adding following line to
> squid.conf:
> https_port 3129
> Once this was done, I redirected all the traffic coming to port 443 to
> port 3129 using iptables. This is because my clients connect to proxy
> via VPN.

Since you are intercepting port 443 that port is missing the 'intercept'
flag. Also, interceptig port 443 requires SSL-Bump.

> But this had no effect. After connecting clients to proxy, when I try
> to access an HTTPS website, the clients get no response and nothing
> shows in access.log file. The browser behaves as if it could not
> connect to internet.
> Please note that this setup works perfectly for HTTP requests. Only
> HTTPS requests give problems.

Port 80 (HTTP) and port 443 (HTTPS) have totally different transport
protocols. The port 443 one is designed to break when being intercepted.

> FYI, by documentation I was referring to below link:
> http://wiki.squid-cache.org/Features/HTTPS


More information about the squid-users mailing list