Hi, You cannot use TPROXY for a transparent proxy for HTTPS. Only SSL-BUMP under Squid Proxy. Squid runs on the same machine as shorewall.
Squid.conf https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/mycert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB sslcrtd_program /usr/libexec/security_file_certgen -s /var/run/squid/ssl_db -M 16MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all ssl_bump splice all and in rules under /etc/shorewall HTTPS(REDIRECT) loc 3130 and of course before HTTPS(ACCEPT) $FW net Squid acts as a man in the middle. Best regards, Witek pon., 5 paź 2020 o 09:58 Vieri Di Paola <vieridipa...@gmail.com> napisał(a): > On Mon, Oct 5, 2020 at 8:17 AM Tuomo Soini <t...@foobar.fi> wrote: > > > > On Mon, 5 Oct 2020 01:42:59 +0200 > > Vieri Di Paola <vieridipa...@gmail.com> wrote: > > > > > > I seriously doubt that the TLS handshake works when you try using > > > > HTTPS. The proxy is a 'man in the middle' in that case. > > > > You can't do transparent proxy for https. > > You can "SSL bump", as in MITM, with Squid since v. 3, just as long as > the organization/users import the proxy's certificate. > HTTPS is transparently proxied. > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Witold Tosta
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
