[squid-users] Newbie question, How to fully disable/disallow https?

Coenraad Loubser coenraad at wish.org.za
Tue Jun 22 22:01:31 UTC 2021 

This seems all good and well if you're just proxying traffic to your own
servers... but if you want to run an actual proxy this doesn't really make
sense any more.

You can block HTTPS through Squid, and even do some redirection with your
firewall too - but when it comes to whether it will work, your problem is
with the browsers - and everyone else on the internet: as a start, you
might want to read up on
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - and browser
implementations. The only way to force HTTP, or to redirect to it, is to
compile and ship your own browsers too - and that would be a terrible idea
as anyone (on the planet) who found out that you have people using such
modified browsers, would be able to impersonate the sites they visited and
steal their credentials, in many cases without them knowing. This is the
actual problem that HTTPS and HSTS helps prevent.

You can install your own certificates and follow
https://wiki.squid-cache.org/Features/SslBump and then redirect to a
non-HTTPS page, but even so no up to date browser will obey the redirect if
HSTS is enabled for the site.

If it's caching you want to do, there was a time that you could cache
almost everything and emulate a 1Gbps connection on a 256kbps ADSL line...
but that time ended around 2010... we're now in 2021... it is now cheaper
and easier (esp. if you consider the cost of your time) than ever to just
build fast connections to the internet than ever before. Get yourself a
Starlink modem and share the connection - and costs - with your street, if
you're trying to save on bandwidth. I understand all about wanting to cache
things and run things offline and not having connectivity...

If you want to cache content the proper way today, you will need to make
deals with the content providers you're trying to cache, and then set up
the infrastructure to host their content on your own server, and either get
them to issue you with SSL Certificates or point their DNS to you... or
easier, just connect to people who have already done this and already has
servers in a regional data center near you.

Alternatively, I guess you could mirror or spider some sites, and then just
host them on your non-HTTPS mirror. Likely against the wishes and terms of
those sites... but no proxy needed. But if you started messing with a proxy
and DNS in front of it, it would just break on all browsers today.

A better way to do it would be to write a browser addon that modifies the
URL to a custom url much like https://web.archive.org/http://web.archive.org
does it by just having the whole URL as the actual URL path... but why not
just browse the Web Archive directly then... bonus,* they run a Non-SSL
version of the whole archive*! No need to mess with anything.

If it's just a package repository you want to cache... it almost certainly
still has http support if you dig deeper... but you might want to enable
whatever hash checking mechanisms it has to save yourself some grey hairs.

Perhaps if you shared your actual use case we could help you come up with a
better (and more responsible and sustainable) solution?

On Tue, 22 Jun 2021 at 21:32, Arctic5824 <arctic5824 at protonmail.com> wrote:

> Hello, Recently I setup my first squid proxy,
>
> I want it when users try to acces a website via https, they get redirected
> to the http version, I tried disabling https by reading the comments in the
> config, the squid docs, and online forums, but I am unable to figure this
> out, I also tried blocking port 443 using ufw but it just resulted in users
> timing out.
>
> Please rest assured I understand the security and other risks this brings,
> thanks.
> To  reiterate as this email is a bit long, I'd like to know how to
> dis-allow https and redirect users to http versions of websites when they
> try to use https
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210623/b660a2a3/attachment.htm>

More information about the squid-users mailing list