Re: Squid with https in transparent mode

Fri, 28 Jun 2013 10:13:57 -0700 

On Fri, 28 Jun 2013 13:12:38 +0100
Chris Davies <ch...@roaima.co.uk> wrote:

> Frank Lanitz <fr...@frank.uvena.de> wrote:
> > Is there a way of using a squid proxy in transparent way [...] for
> > SSL. If I'm entering the proxy directly into
> > e.g. Firefox it's working -- but don't got it running via
> > transparent mode.
> 
> As you'll know, it's pretty straightforward to set up a transparent
> proxy for (unencrypted) HTTP traffic. However, creating one for
> HTTPS/SSL traffic is far harder.
> 
> The simplistic answer is that you can't do this. The reason here is
> that the web browser won't issue a proxy CONNECT request unless it
> knows there's a proxy involved. And because you've got a transparent
> setup it doesn't know. So it tries to go directly to the target
> website. But you're intercepting the traffic and routing it via
> squid, so it can't get there - or else you're going to be providing
> an incorrect certificate.
> 
> There are a number of options you've got at this point.
> 
> 1. Prevent all SSL-based web browsing. (Probably unrealistic.)
> 
> 2. Create a Certificate Authority and install your CA certificate on
> all users' web browers. Hijack tcp/443 SSL traffic as before but
> spoof the appropriate certificate dynamically (sign it with your own
> CA). Decrypt the traffic, route it via squid or whatever, re-encrypt
> it and send it on to the target host. (Probable privacy concerns with
> this option.)
> 
> 3. Abandon the transparent approach. Block all tcp/80 and tcp/443
> access except via your proxy. Provide a wpad configuration file that
> people will find by enabling "auto configure", and have this instruct
> web browsers to use your proxy. (Recommended solution.)
> 
> 3a. As for #3 but also continue to hijack tcp/80 and tcp/443, pointing
> them to a static page that explains how to enable automatic
> configuration.
> 
> If you really want/need to force all traffic via your proxy I'd
> recommend you seriously consider option 3/3a.

Thanks for the input. I think really should give up the transparent
approach and try to make usage of autoconfig with hope clients are able
to understand. 

Cheers, 
Frank

Attachment: pgpbA8aQyNOCt.pgp
Description: PGP signature

Reply via email to