[squid-users] Newbie question, How to fully disable/disallow https?

[Alex Rousskov]

On 6/22/21 3:32 PM, Arctic5824 wrote:
> Hello, Recently I setup my first squid proxy,
> 
> I want it when users try to acces a website via https, they get
> redirected to the http version, I tried disabling https by reading the
> comments in the config, the squid docs, and online forums, but I am
> unable to figure this out, I also tried blocking port 443 using ufw but
> it just resulted in users timing out.
> 
> Please rest assured I understand the security and other risks this
> brings, thanks.
> To  reiterate as this email is a bit long, I'd like to know how to
> dis-allow https and redirect users to http versions of websites when
> they try to use https

To disable HTTPS access through the proxy, simply deny all CONNECT
requests using http_access rules.

Redirecting HTTPS attempts to HTTP is a lot harder and is unreliable.
You will have to bump TLS connections and then deny all bumped requests
with a redirection response (that many browsers may not even follow --
you should test this). This will not work in many cases because TLS is
not supposed to be bumped -- many clients and origin servers will work
hard to prevent you from bumping their connections. See ssl_bump and
deny_info for starting points.


HTH,

Alex.