[squid-users] Newbie question, How to fully disable/disallow https?

Coenraad Loubser coenraad at wish.org.za
Tue Jun 22 22:06:21 UTC 2021 

Of course you could always just run your own web-based proxy such as these:
https://www.google.com/search?q=web+based+proxies - that would fetch the
https site if necessary, and render it as http - but it will rarely be a
perfect copy.

I'm sure there are many other ways to do this too... again, what's your
real use case here?

On Wed, 23 Jun 2021 at 00:01, Coenraad Loubser <coenraad at wish.org.za> wrote:

> This seems all good and well if you're just proxying traffic to your own
> servers... but if you want to run an actual proxy this doesn't really make
> sense any more.
>
> You can block HTTPS through Squid, and even do some redirection with your
> firewall too - but when it comes to whether it will work, your problem is
> with the browsers - and everyone else on the internet: as a start, you
> might want to read up on
> https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - and
> browser implementations. The only way to force HTTP, or to redirect to it,
> is to compile and ship your own browsers too - and that would be a terrible
> idea as anyone (on the planet) who found out that you have people using
> such modified browsers, would be able to impersonate the sites they visited
> and steal their credentials, in many cases without them knowing. This is
> the actual problem that HTTPS and HSTS helps prevent.
>
> You can install your own certificates and follow
> https://wiki.squid-cache.org/Features/SslBump and then redirect to a
> non-HTTPS page, but even so no up to date browser will obey the redirect if
> HSTS is enabled for the site.
>
> If it's caching you want to do, there was a time that you could cache
> almost everything and emulate a 1Gbps connection on a 256kbps ADSL line...
> but that time ended around 2010... we're now in 2021... it is now cheaper
> and easier (esp. if you consider the cost of your time) than ever to just
> build fast connections to the internet than ever before. Get yourself a
> Starlink modem and share the connection - and costs - with your street, if
> you're trying to save on bandwidth. I understand all about wanting to cache
> things and run things offline and not having connectivity...
>
> If you want to cache content the proper way today, you will need to make
> deals with the content providers you're trying to cache, and then set up
> the infrastructure to host their content on your own server, and either get
> them to issue you with SSL Certificates or point their DNS to you... or
> easier, just connect to people who have already done this and already has
> servers in a regional data center near you.
>
> Alternatively, I guess you could mirror or spider some sites, and then
> just host them on your non-HTTPS mirror. Likely against the wishes and
> terms of those sites... but no proxy needed. But if you started messing
> with a proxy and DNS in front of it, it would just break on all browsers
> today.
>
> A better way to do it would be to write a browser addon that modifies the
> URL to a custom url much like
> https://web.archive.org/http://web.archive.org does it by just having the
> whole URL as the actual URL path... but why not just browse the Web Archive
> directly then... bonus,* they run a Non-SSL version of the whole archive*!
> No need to mess with anything.
>
> If it's just a package repository you want to cache... it almost certainly
> still has http support if you dig deeper... but you might want to enable
> whatever hash checking mechanisms it has to save yourself some grey hairs.
>
> Perhaps if you shared your actual use case we could help you come up with
> a better (and more responsible and sustainable) solution?
>
> On Tue, 22 Jun 2021 at 21:32, Arctic5824 <arctic5824 at protonmail.com>
> wrote:
>
>> Hello, Recently I setup my first squid proxy,
>>
>> I want it when users try to acces a website via https, they get
>> redirected to the http version, I tried disabling https by reading the
>> comments in the config, the squid docs, and online forums, but I am unable
>> to figure this out, I also tried blocking port 443 using ufw but it just
>> resulted in users timing out.
>>
>> Please rest assured I understand the security and other risks this
>> brings, thanks.
>> To  reiterate as this email is a bit long, I'd like to know how to
>> dis-allow https and redirect users to http versions of websites when they
>> try to use https
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210623/39222852/attachment.htm>

More information about the squid-users mailing list