[squid-users] Newbie question, How to fully disable/disallow https?
Alex Rousskov
rousskov at measurement-factory.com
Tue Jun 22 19:40:48 UTC 2021
On 6/22/21 3:32 PM, Arctic5824 wrote:
> Hello, Recently I setup my first squid proxy,
>
> I want it when users try to acces a website via https, they get
> redirected to the http version, I tried disabling https by reading the
> comments in the config, the squid docs, and online forums, but I am
> unable to figure this out, I also tried blocking port 443 using ufw but
> it just resulted in users timing out.
>
> Please rest assured I understand the security and other risks this
> brings, thanks.
> To reiterate as this email is a bit long, I'd like to know how to
> dis-allow https and redirect users to http versions of websites when
> they try to use https
To disable HTTPS access through the proxy, simply deny all CONNECT
requests using http_access rules.
Redirecting HTTPS attempts to HTTP is a lot harder and is unreliable.
You will have to bump TLS connections and then deny all bumped requests
with a redirection response (that many browsers may not even follow --
you should test this). This will not work in many cases because TLS is
not supposed to be bumped -- many clients and origin servers will work
hard to prevent you from bumping their connections. See ssl_bump and
deny_info for starting points.
HTH,
Alex.
More information about the squid-users
mailing list