[squid-users] filtering HTTPS sites with transparent child Squid
Amos Jeffries
squid3 at treenet.co.nz
Mon Nov 27 10:30:08 UTC 2017
On 27/11/17 21:20, Stegner, Martin wrote:
> Hi everyone,
>
> I’ve set up a Squid as a transparent child-proxy. Every request is
> redirected to another Squid with the content filtering add-on
> e2guardian. I encounter the problem that the transparent child Squid
> only forwards IP-Addresses to the e2guardian when HTTPS is used and so
> e2guardian cant filter anything because it can only filter by URL.
>
A good demonstration of why calling a URL-rewrite helper a "content
filter" is completely wrong.
Real content filters receive the actual content and can filter it. ICAP
and eCAP exist for that and get passed the decrypted HTTPS messages (if
any).
> Here are some parts of the config:
>
> http_port 3130
>
> http_port 3128 intercept
>
> https_port 3129 intercept ssl-bump cert=/etc/squid/cert/squid.pem
>
> ssl_bump splice all (if I use any other option than splice
> nothing works for some reason)
Splice tells Squid to not decrypt. Thus no content access on those
transactions.
>
> cache_peer 172.16.0.252 parent 8080 0 default no-query no-digest
>
> Is there any possibility that the transparent child Squid forwards the
> URL tot he main Squid proxy?
It already is passing what it has. "The" URI of the message being
processed happens to be an authority-form URI. see
<https://tools.ietf.org/html/rfc7230#section-5.3.3>.
.. and also;
* Squid requires a secure server connection to deliver decrypted content
to. So the cache_peer needs to have the 'ssl' option and be accepting
TLS proxy connections to receive anything other than the spliced traffic.
* The CONNECT message has to complete and the TLS inside it decrypted
before any URL with "https://" scheme is known. When bumping to do the
decrypt the above criteria applies.
* HTTP/1.1 connections contain many pipelined requests. So there are
potentially many https:// URLs involved inside the crypto - it is not
possible to know in advance of decryption what those might be.
Amos
More information about the squid-users
mailing list