[squid-users] Basic HTTPS filtering via CONNECT in Squid

Varun Singh varun.singh at gslab.com
Sun Feb 12 06:40:36 UTC 2017


On Friday, February 10, 2017, Varun Singh <varun.singh at gslab.com> wrote:

> On Tue, Feb 7, 2017 at 3:48 AM, Amos Jeffries <squid3 at treenet.co.nz
> <javascript:;>> wrote:
> > On 7/02/2017 2:46 a.m., Varun Singh wrote:
> >> On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries wrote:
> >>
> >> Hi,
> >> Please find my reply inline:
> >>
> >>> What documentation? it is wrong, or you are misunderstanding it. The
> URL
> >>> path?query is definitely *not* available without decrypting.
> >>>
> >>
> >> Correct, I mis-read it.
> >>
> >>
> >>> Because the only way to access more than hostname/IP and port is to
> decrypt.
> >>
> >> Okay. In that, case I am okay with only being able to see hostname/IP
> and port.
> >> But whenever I search for setting up HTTPS with Squid, I always come
> >> across SSL-bump.
> >> Could you point me to a tutorial which perform just basic HTTPS setup?
> >
> > The Squid default config handles as much of HTTPS as can be handled
> > without the SSL-Bump feature.
> >
> >>
> >> What I have tried so far is, configuring Squid to listen to port 3129
> >> to expect HTTPS traffic. I did this by adding following line to
> >> squid.conf:
> >>
> >> https_port 3129
> >>
> >> Once this was done, I redirected all the traffic coming to port 443 to
> >> port 3129 using iptables. This is because my clients connect to proxy
> >> via VPN.
> >
> > Since you are intercepting port 443 that port is missing the 'intercept'
> > flag. Also, interceptig port 443 requires SSL-Bump.
> >
> >
> >> But this had no effect. After connecting clients to proxy, when I try
> >> to access an HTTPS website, the clients get no response and nothing
> >> shows in access.log file. The browser behaves as if it could not
> >> connect to internet.
> >>
> >> Please note that this setup works perfectly for HTTP requests. Only
> >> HTTPS requests give problems.
> >>
> >
> > Port 80 (HTTP) and port 443 (HTTPS) have totally different transport
> > protocols. The port 443 one is designed to break when being intercepted.
> >
> >
> >>
> >> FYI, by documentation I was referring to below link:
> >> http://wiki.squid-cache.org/Features/HTTPS
> >>
> >
> >
> > Amos
>
> Thanks Amos. Sorry I couldn't reply early.
>
> So in this case, say I want to configure HTTPS proxy from a
> web-browser directly and not through VPN. In that case there will be
> no port forwarding involved and hence 443 shouldn't break. To achieve
> this, what configurations will have to be set in squid.conf file? I am
> assuming we will have to at least provide a port number by adding
> 'https_port 3129'. Is there anything else I will have to do?
>
> Thanks for your help.
>
>
>
> --
> Regards,
> Varun
>

I found this post on a StackExchange forum which is exactly what I want:

http://serverfault.com/questions/798481/squid-configuration-for-https

The answer points to installing a CA on client.
Does this mean even if I don't want Squid-in-the-middle approach, my
clients would still have to install a certificate?


-- 
Regards,
Varun Singh
Sr. Software Engineer | m: +91 20 4671 2290 |
G <https://in.linkedin.com/in/varun-singh-12b29026>reat Software Laboratory
<http://www.gslab.com/>
------------------------------------------------------------------------------
<https://twitter.com/_gslab>   <https://www.facebook.com/LifeAtGSLab/>
<https://www.linkedin.com/company/gs-lab>   <http://www.gslab.com/blogs>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170212/1213927e/attachment.html>


More information about the squid-users mailing list