[squid-users] Bypassing SSL Man In the Middle Filtering For Certain LAN IP's

Amos Jeffries squid3 at treenet.co.nz
Sun Jun 30 06:36:19 UTC 2019


On 30/06/19 2:32 pm, Mike Golf wrote:
> Hi All,
> 
> I've setup a squid proxy server on my PFSense router, is there any way
> of bypassing HTTPS/SSL filtering for certain LAN IP's.

HTTPS is not normally filtered at all. So for that to be happening
something must be forcing it - all you have to do is *not* force the
filtering or MITM to happen.

* remove any rules in your NAT or routes directing port 443 to the proxy.

* remove any https_port in the proxy for receiving that intercepted traffic

* remove any SSL-Bump config for handling intercepted port 443 traffic
or decrypting CONNECT tunnels.

With that all done you will at most be left with clients using the proxy
in forward-proxy capacity to open CONNECT tunnels.


> I have IP
> addresses 192.168.1.0-192.168.1.200 allocated through DHCP and I want
> these devices to bypass SSL interception but not the standard HTTP proxy.

Consider how are those clients using the proxy in the first place? Their
method of IP assignment has nothing to do with it.


> 
> Since most modern sites use HTTPS by default HTTP caching isn't that
> effective anymore,

That is a deceptive statement, more false than most think. But
irrelevant since what you are wanting will prevent HTTPS caching entirely.


> however I want my personal devices to use the SSL
> proxy 

Note that SSL protocols both v2 and v3 are obsolete.

Are you asking for:
 a) a TLS explicit proxy, or
 b) a TLS interception proxy, or
 c) a forward-proxy for relaying HTTPS ?


>so I can get the fastest possible browsing experience without
> having to install certificate authorities on my guests devices which use
> the DHCP range.
> 

A proxy is not going to do anything in regards to speed for those clients.

The only way which you can improve speed with a proxy is by caching of
HTTPS content - by avoiding all the re-encrypt delays on every request
that can be made a HIT. But that requires those cert installations you
are trying to avoid.


Amos


More information about the squid-users mailing list