[squid-users] Bypass HSTS sites in squid?

[Amos Jeffries]

On 29/04/18 07:22, Matthias Eder wrote:
> I have set up after along struggle a transparent proxy with squid,
> squidguard and privoxy. This works quite fine, surprisingly also for
> https sites. Unfortunately the performance is not too good, but I guess
> the man-in-the-middle attack is quite a lot of work for squid ;-).
> Before anyone is complaining: this is for my private network at home and
> this is more or less part of a project to set up a home router and learn
> a little bit of this stuff :-).
> 
> Anyway, here is the problem where I am stuck at the moment: as mentioned
> connection to most of the https sites works without problems, but I
> guess connection to sites with public key pinning (HSTS...?) gives me a

FYI: Current Squid releases all erase HSTS headers from traffic which
gets decrypted. So for HSTS to have any effect the Browsers need to be
fetching content without the proxy knowing about it. eg old HSTS details
received before they started use the proxy.


> SSL_ERROR_BAD_CERT_DOMAIN error in Firefox; here i can't add an
> exception for this site (e.g. in my case https://ubuntuusers.de/). After
> some googling it seems that there is no way that squid could "break"
> into this connection, so the question is: is there any way to exclude or
> bypass some sites so that the proxy is not used? I guess the difficulty
> may be the https here...

Connections that cannot (or you do not want to be) bump'ed is what the
SSL-Bump "splice" action is for. If you do not have a Squid accepting
that action you urgently need to upgrade.


Also, SG re-writes the URLs (including domain) of HTTP(S) traffic it
gets asked about. Naturally if it changes the domain for messages they
will no longer have the "old" domain which was linked explicitly to the
X.509 certificate the client was given by TLS. Some servers tolerate
that, some do not. This is one of many reasons SG (and re-writers in
general) should not be used, especially with HTTPS traffic.

Amos