[squid-users] squid module to "simulate" CONNECT setup to facilitate intercepted https

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 9 15:42:33 UTC 2015


On 9/11/2015 7:33 p.m., Mark Carey wrote:
> Hi,
> 
> Squid has some great features for traffic managament policy and accounting.
> 
> The web is moving more and more to https which negates squids
> advantages in caching.  I know that squid can not transparently proxy
> https - i've run squid in intercept mode and pointed https traffic at
> it and watched the rubbish that fills the logs.

FYI: "transparently proxy" and what many people used to call
"transparent proxy" are two VERY different things.

"transparently proxy" is something an explicit/forward proxy does. Squid
does that just fine for both HTTP and HTTPS.

"transparent ___ proxy" (note the missing word in the middle of the
name) is what is not easy with HTTPS. Depending on what the missing word
is in your meaning.


> 
> Squid remains a great platform for centralising site policy in regards
> to access and accounting for web traffic (even if it is only total
> bytes to/from a host).  Replicating such policy is a pain in the
> backside (try using iptables for domain wide rules, or reliable user
> agent matching).
> 
> What I am interested in is whether there is or ever was a squid module that;
> 

<snip>

As Alex already said peek-and-splice feature should do what you are
asking for. Just make sure you have the latest Squid release that works
for you. The TLS interception features are pretty volatile and things
are still changing pretty rapidly, so keeping it up to date is very
important.

Amos



More information about the squid-users mailing list