[squid-users] Basic HTTPS filtering via CONNECT in Squid

Varun Singh varun.singh at gslab.com
Fri Feb 10 11:05:56 UTC 2017


On Tue, Feb 7, 2017 at 3:48 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 7/02/2017 2:46 a.m., Varun Singh wrote:
>> On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries wrote:
>>
>> Hi,
>> Please find my reply inline:
>>
>>> What documentation? it is wrong, or you are misunderstanding it. The URL
>>> path?query is definitely *not* available without decrypting.
>>>
>>
>> Correct, I mis-read it.
>>
>>
>>> Because the only way to access more than hostname/IP and port is to decrypt.
>>
>> Okay. In that, case I am okay with only being able to see hostname/IP and port.
>> But whenever I search for setting up HTTPS with Squid, I always come
>> across SSL-bump.
>> Could you point me to a tutorial which perform just basic HTTPS setup?
>
> The Squid default config handles as much of HTTPS as can be handled
> without the SSL-Bump feature.
>
>>
>> What I have tried so far is, configuring Squid to listen to port 3129
>> to expect HTTPS traffic. I did this by adding following line to
>> squid.conf:
>>
>> https_port 3129
>>
>> Once this was done, I redirected all the traffic coming to port 443 to
>> port 3129 using iptables. This is because my clients connect to proxy
>> via VPN.
>
> Since you are intercepting port 443 that port is missing the 'intercept'
> flag. Also, interceptig port 443 requires SSL-Bump.
>
>
>> But this had no effect. After connecting clients to proxy, when I try
>> to access an HTTPS website, the clients get no response and nothing
>> shows in access.log file. The browser behaves as if it could not
>> connect to internet.
>>
>> Please note that this setup works perfectly for HTTP requests. Only
>> HTTPS requests give problems.
>>
>
> Port 80 (HTTP) and port 443 (HTTPS) have totally different transport
> protocols. The port 443 one is designed to break when being intercepted.
>
>
>>
>> FYI, by documentation I was referring to below link:
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>
>
> Amos

Thanks Amos. Sorry I couldn't reply early.

So in this case, say I want to configure HTTPS proxy from a
web-browser directly and not through VPN. In that case there will be
no port forwarding involved and hence 443 shouldn't break. To achieve
this, what configurations will have to be set in squid.conf file? I am
assuming we will have to at least provide a port number by adding
'https_port 3129'. Is there anything else I will have to do?

Thanks for your help.



-- 
Regards,
Varun


More information about the squid-users mailing list