On 2013/03/12 10:49, Vijay Sankar wrote: > Quoting Jiri B <ji...@devio.us>: > > >On Tue, Mar 12, 2013 at 01:00:58PM +0000, Stuart Henderson wrote: > >>On 2013-03-10, Rosen Iliev <ro...@mynshosts.com> wrote: > >>> Transparent proxy will not be useful for HTTPS connections. > >>> To handle HTTPS you'll need not-transparent proxy. > >> > >>Actually squid 3.3 (not in ports yet) can do this using the > >>sslbump MITM feature. > > > >I had to check cvs because I've though relayd can do that too, > >but ssl MITM support for relayd has not been commited yet :) > > > >jirib > > > > > > I was confused by the statement that https will not work if squid is > used as a transparent proxy. I am using squid-2.7.STABLE9p20 and > transparent proxy seems to work OK with HTTPS. > > My squid.conf has the following: > > acl local-subnet src 10.0.0.0/24 172.16.0.0/24 > > http_access allow allow_overidedomains > > http_access deny block_domains > http_access deny block_extensions > > http_access allow local-subnet localnet > > http_access deny all > > icp_access allow localnet > icp_access deny all > > http_port 8080 transparent > > In my /var/squid/logs/access.log, I have entries such as > > 10.0.0.103 - - [12/Mar/2013:10:23:45 -0600] "CONNECT > clients3.google.com:443 HTTP/1.0" 200 4455 TCP_MISS:DIRECT > > and so it looks like internal clients go to the squid proxy for HTTPS > urls. So why are people saying that transparent proxy will not work > for HTTPS? Or am I reading this log wrong? Please let me know if that > is the case. > > I used tcpdump on the external interface of the OpenBSD firewall and > did see HTTPS traffic -- NOT http traffic. The browser is Firefox > 13.0.1 and it uses the squid proxy for all protocols including HTTPS.
For 2.7 uou must have the proxy configured specifically in your browser for this to work - the SSL interception features are only in 3.x, and the "server first" mode which works with transparent (a.k.a. interception) proxy needs 3.3. http://wiki.squid-cache.org/Features/BumpSslServerFirst (this mode dynamically generates server certificates on-the-fly and requires your CA certificate to be installed in browsers to avoid validation failure errors).
