On Fri, 28 Jun 2013 13:12:38 +0100 Chris Davies <ch...@roaima.co.uk> wrote:
> Frank Lanitz <fr...@frank.uvena.de> wrote: > > Is there a way of using a squid proxy in transparent way [...] for > > SSL. If I'm entering the proxy directly into > > e.g. Firefox it's working -- but don't got it running via > > transparent mode. > > As you'll know, it's pretty straightforward to set up a transparent > proxy for (unencrypted) HTTP traffic. However, creating one for > HTTPS/SSL traffic is far harder. > > The simplistic answer is that you can't do this. The reason here is > that the web browser won't issue a proxy CONNECT request unless it > knows there's a proxy involved. And because you've got a transparent > setup it doesn't know. So it tries to go directly to the target > website. But you're intercepting the traffic and routing it via > squid, so it can't get there - or else you're going to be providing > an incorrect certificate. > > There are a number of options you've got at this point. > > 1. Prevent all SSL-based web browsing. (Probably unrealistic.) > > 2. Create a Certificate Authority and install your CA certificate on > all users' web browers. Hijack tcp/443 SSL traffic as before but > spoof the appropriate certificate dynamically (sign it with your own > CA). Decrypt the traffic, route it via squid or whatever, re-encrypt > it and send it on to the target host. (Probable privacy concerns with > this option.) > > 3. Abandon the transparent approach. Block all tcp/80 and tcp/443 > access except via your proxy. Provide a wpad configuration file that > people will find by enabling "auto configure", and have this instruct > web browsers to use your proxy. (Recommended solution.) > > 3a. As for #3 but also continue to hijack tcp/80 and tcp/443, pointing > them to a static page that explains how to enable automatic > configuration. > > If you really want/need to force all traffic via your proxy I'd > recommend you seriously consider option 3/3a. Thanks for the input. I think really should give up the transparent approach and try to make usage of autoconfig with hope clients are able to understand. Cheers, Frank
pgpbA8aQyNOCt.pgp
Description: PGP signature