[squid-users] Transparent proxy for WiFi users

Amos Jeffries squid3 at treenet.co.nz
Tue Jan 2 20:13:13 UTC 2018

On 03/01/18 02:48, Roberto Carna wrote:
> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
> in order to filter HTTP and HTTPS web content for different types of
> WiFi clients on my company:
> - Android (different versions)
> - Notebooks Windows 7/10
> - Iphone
> - Etc.
> In some cases, depending on the device Operating System, some apps
> experiment problems, for example Facebook and some others.

The main cause of these problems is that when the same vendor is 
authoring both the server software and the client "app" (or client 
device OS). They can (and often do) hard-code TLS certificate checks 
into their client code to detect and immediately fail in the presence of 
MITM in the encryption.

Following that, SSL-Bump is still very much an ongoing project. 
Selecting even a slightly older Squid version can lead to TLS features 
not being supported. So when problems occur the best option is still to 
upgrade to the very latest release before debugging further - today that 
would be squid-4.0.22 beta.

> Which is the best solution in order to setup a TRANSPARENT proxy
> service in a heterogeneous scenario with diferenbt types of devices,
> and running in the best mode with the minimum number of problems???

The _only_ solution is not to decrypt such traffic (the splice action). 
How you determine which traffic is having such special trust given to it 
is up to you. The TLS SNI is provided by the peek action at SSL-Bump step 1.

> Or do I have to move to a scenario with a defined proxy in another
> server, and automatically established in clients with DHCP ???

Explicit proxy is definitely better for HTTP than interception proxy. 
That is true regardless of what else is going on. So worth doing *if* 
you can.

That said, it is also unlikely to help much with the problem you are 
facing. Perhapse a small gain for clients not sending TLS SNI values - 
otherwise no change can be expected.


More information about the squid-users mailing list