[squid-users] Basic HTTPS filtering via CONNECT in Squid

Amos Jeffries squid3 at treenet.co.nz
Sun Feb 12 08:51:19 UTC 2017

On 12/02/2017 7:40 p.m., Varun Singh wrote:
> The answer points to installing a CA on client.

The question was about how to get browsers talking TLS *directly to a
Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
are not using a reverse-proxy.

> Does this mean even if I don't want Squid-in-the-middle approach, my
> clients would still have to install a certificate?

No. It is irrelevant to yrou sitation.

You began this thread with a simple question:

> Hi,
> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
> HTTP proxy server in transparent mode.
> I wanted to know whether it can be configured to run as HTTPS proxy
> server without ssl-bump i.e. without 'man in the middle attack'
> technique.

Everything you have been asking about since then is various ways to do
parts of the SSL-bump process. Which does not fit very well with the
"without ssl-bump" requirement.

Simply put; if you are not going to SSL-Bump then you can discard any
thoughts of doing things with the HTTPS messages or port 443 traffic.

If you have changed your mind and want to use SSL-Bump now, please
re-describe what you want to actually happen now.


More information about the squid-users mailing list