[squid-users] Basic HTTPS filtering via CONNECT in Squid
varun.singh at gslab.com
Sun Feb 12 06:40:36 UTC 2017
On Friday, February 10, 2017, Varun Singh <varun.singh at gslab.com> wrote:
> On Tue, Feb 7, 2017 at 3:48 AM, Amos Jeffries <squid3 at treenet.co.nz
> > On 7/02/2017 2:46 a.m., Varun Singh wrote:
> >> On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries wrote:
> >> Hi,
> >> Please find my reply inline:
> >>> What documentation? it is wrong, or you are misunderstanding it. The
> >>> path?query is definitely *not* available without decrypting.
> >> Correct, I mis-read it.
> >>> Because the only way to access more than hostname/IP and port is to
> >> Okay. In that, case I am okay with only being able to see hostname/IP
> and port.
> >> But whenever I search for setting up HTTPS with Squid, I always come
> >> across SSL-bump.
> >> Could you point me to a tutorial which perform just basic HTTPS setup?
> > The Squid default config handles as much of HTTPS as can be handled
> > without the SSL-Bump feature.
> >> What I have tried so far is, configuring Squid to listen to port 3129
> >> to expect HTTPS traffic. I did this by adding following line to
> >> squid.conf:
> >> https_port 3129
> >> Once this was done, I redirected all the traffic coming to port 443 to
> >> port 3129 using iptables. This is because my clients connect to proxy
> >> via VPN.
> > Since you are intercepting port 443 that port is missing the 'intercept'
> > flag. Also, interceptig port 443 requires SSL-Bump.
> >> But this had no effect. After connecting clients to proxy, when I try
> >> to access an HTTPS website, the clients get no response and nothing
> >> shows in access.log file. The browser behaves as if it could not
> >> connect to internet.
> >> Please note that this setup works perfectly for HTTP requests. Only
> >> HTTPS requests give problems.
> > Port 80 (HTTP) and port 443 (HTTPS) have totally different transport
> > protocols. The port 443 one is designed to break when being intercepted.
> >> FYI, by documentation I was referring to below link:
> >> http://wiki.squid-cache.org/Features/HTTPS
> > Amos
> Thanks Amos. Sorry I couldn't reply early.
> So in this case, say I want to configure HTTPS proxy from a
> web-browser directly and not through VPN. In that case there will be
> no port forwarding involved and hence 443 shouldn't break. To achieve
> this, what configurations will have to be set in squid.conf file? I am
> assuming we will have to at least provide a port number by adding
> 'https_port 3129'. Is there anything else I will have to do?
> Thanks for your help.
I found this post on a StackExchange forum which is exactly what I want:
The answer points to installing a CA on client.
Does this mean even if I don't want Squid-in-the-middle approach, my
clients would still have to install a certificate?
Sr. Software Engineer | m: +91 20 4671 2290 |
G <https://in.linkedin.com/in/varun-singh-12b29026>reat Software Laboratory
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users