[squid-users] Blocking HTTPS On Transparent/Interception Proxy Configuration

ivanleoncz ivanlmj at gmail.com
Wed Sep 27 20:01:49 UTC 2017 

Hello, Squid Users.

I'm not an experienced user for advanced configurations on Squid, so I need
some advice or help, which will be much appreciated.

As I was watching some of the logs from my Proxy, I noticed that there are
requests that are made first via HTTP, and the remote Web Server responds
with a 302 redirect to a HTTPS site.

I can use Facebook as an example:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1505162176.649    102 192.168.0.108 TCP_MISS/204 257 GET
http://b-www.facebook.com/mobile/status.php - ORIGINAL_DST/31.13.66.37
text/plain
1505233881.293    176 192.168.0.149 TCP_MISS/302 387 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
1505240198.118    162 192.168.0.149 TCP_MISS/302 387 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
1505241490.335    203 192.168.0.149 TCP_MISS/302 387 GET
http://www.facebook.com/ - ORIGINAL_DST/157.240.3.35 text/html
1505248976.884    173 192.168.0.54 TCP_MISS/302 562 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36
text/html
1505303537.048    144 192.168.0.152 TCP_MISS/302 382 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
1505331296.129    181 192.168.0.108 TCP_MISS/302 635 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36
text/html
1505389662.830    144 192.168.0.152 TCP_MISS/302 382 GET
http://www.facebook.com/ - ORIGINAL_DST/157.240.17.35 text/html
1505393796.724    187 192.168.0.165 TCP_MISS/302 387 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
1505481730.533    145 192.168.0.74 TCP_MISS/302 484 GET
http://www.facebook.com/plugins/fan.php? - ORIGINAL_DST/157.240.17.35
text/html
1505756711.632    221 192.168.0.76 TCP_MISS/302 671 GET
http://www.facebook.com/plugins/likebox.php? - ORIGINAL_DST/31.13.66.36
text/html
1505849677.484    190 192.168.0.56 TCP_MISS/302 532 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36
text/html
1505913883.386    166 192.168.0.152 TCP_MISS/302 382 GET
http://www.facebook.com/ - ORIGINAL_DST/157.240.17.35 text/html
1505926185.493    146 192.168.0.56 TCP_MISS/302 532 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36
text/html
1506089311.489    152 192.168.0.62 TCP_MISS/302 587 GET
http://www.facebook.com/plugins/likebox.php? - ORIGINAL_DST/157.240.17.35
text/html
1506102859.349    171 192.168.0.41 TCP_MISS/302 528 GET
http://www.facebook.com/plugins/follow.php? - ORIGINAL_DST/157.240.3.35
text/html
1506449027.644    126 192.168.0.72 TCP_MISS/302 567 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/157.240.17.35
text/html
1506458858.890    244 192.168.0.54 TCP_MISS/302 562 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/157.240.3.35
text/html
1506531664.419    137 192.168.0.152 TCP_MISS/302 382 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  
With these logs, I can understand that a first request is made via HTTP and
a redirect is going to be performed. Am I right?

Seems like the same applies for other sites like YouTube, for example:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1506454619.784    129 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html
1506454859.606    127 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html
1506455555.686    189 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.5.174 text/html
1506455678.559    181 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html
1506455887.214    158 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/216.58.193.14 text/html
1506456578.142    127 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.5.174 text/html
1506457019.837    123 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html
1506457532.332    110 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/216.58.193.46 text/html
1506457735.088    108 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/216.58.193.46 text/html
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Since that the first request is via HTTP, I was wondering:
 
    /- Why I cannot just deny the access for a site like "www.facebook.com",
"facebook.com", "youtube.com", etc.?/

If I cannot perform something like this, I'd like to know: 

    /- Is there any way or mechanism that can be used on Squid for blocking
HTTPS sites, that were originally accessed via 302 redirect?/

I know that there are tons of blogs, forums, etc., that they recommend
theusage of SSLBump, but I also know that MITM is not a good choice, since
that it's (or it could be) illegal, to eavesdrop a secure connection. So I
believe that SSL Bump is not an option.

Thank you all for the attention.

Best Regards,
@ivanleoncz




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list