[squid-users] Basic HTTPS filtering via CONNECT in Squid

Varun Singh varun.singh at gslab.com
Sun Feb 12 10:51:44 UTC 2017

On Feb 12, 2017 2:21 PM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:

On 12/02/2017 7:40 p.m., Varun Singh wrote:
> The answer points to installing a CA on client.

The question was about how to get browsers talking TLS *directly to a
Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
are not using a reverse-proxy.

> Does this mean even if I don't want Squid-in-the-middle approach, my
> clients would still have to install a certificate?

No. It is irrelevant to yrou sitation.

You began this thread with a simple question:

> Hi,
> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
> HTTP proxy server in transparent mode.
> I wanted to know whether it can be configured to run as HTTPS proxy
> server without ssl-bump i.e. without 'man in the middle attack'
> technique.

Everything you have been asking about since then is various ways to do
parts of the SSL-bump process. Which does not fit very well with the
"without ssl-bump" requirement.

Simply put; if you are not going to SSL-Bump then you can discard any
thoughts of doing things with the HTTPS messages or port 443 traffic.

If you have changed your mind and want to use SSL-Bump now, please
re-describe what you want to actually happen now.


squid-users mailing list
squid-users at lists.squid-cache.org

Simply put, my question has three parts:
1. Can Squid be configured as an HTTPS proxy server without SSL-Bump?
2. If yes, then what other configurations have to performed other than
"https_port XXXX"?
3. In this configuration, can Squid filter HTTPS requests from ACL?

Thanks for you help in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170212/fab87b33/attachment.html>

More information about the squid-users mailing list