Re: Squid proxy

Tue, 12 Mar 2013 09:06:59 -0700 

Quoting Stuart Henderson <s...@spacehopper.org>:


On 2013/03/12 10:49, Vijay Sankar wrote:

Quoting Jiri B <ji...@devio.us>:

>On Tue, Mar 12, 2013 at 01:00:58PM +0000, Stuart Henderson wrote:
>>On 2013-03-10, Rosen Iliev <ro...@mynshosts.com> wrote:
>>> Transparent proxy will not be useful for HTTPS connections.
>>> To handle HTTPS you'll need not-transparent proxy.
>>
>>Actually squid 3.3 (not in ports yet) can do this using the
>>sslbump MITM feature.
>
>I had to check cvs because I've though relayd can do that too,
>but ssl MITM support for relayd has not been commited yet :)
>
>jirib
>
>

I was confused by the statement that https will not work if squid is
used as a transparent proxy. I am using squid-2.7.STABLE9p20 and
transparent proxy seems to work OK with HTTPS.

My squid.conf has the following:

acl local-subnet src 10.0.0.0/24 172.16.0.0/24

http_access allow allow_overidedomains

http_access deny block_domains
http_access deny block_extensions

http_access allow local-subnet localnet

http_access deny all

icp_access allow localnet
icp_access deny all

http_port 8080 transparent

In my /var/squid/logs/access.log, I have entries such as

10.0.0.103 - - [12/Mar/2013:10:23:45 -0600] "CONNECT
clients3.google.com:443 HTTP/1.0" 200 4455 TCP_MISS:DIRECT

and so it looks like internal clients go to the squid proxy for HTTPS
urls. So why are people saying that transparent proxy will not work
for HTTPS? Or am I reading this log wrong? Please let me know if that
is the case.

I used tcpdump on the external interface of the OpenBSD firewall and
did see HTTPS traffic -- NOT http traffic. The browser is Firefox
13.0.1 and it uses the squid proxy for all protocols including HTTPS.


For 2.7 uou must have the proxy configured specifically in your browser
for this to work - the SSL interception features are only in 3.x, and
the "server first" mode which works with transparent (a.k.a.
interception) proxy needs 3.3.

http://wiki.squid-cache.org/Features/BumpSslServerFirst

(this mode dynamically generates server certificates on-the-fly and
requires your CA certificate to be installed in browsers to avoid
validation failure errors).
Thank you very much, I have WPAD entries in the DHCP server and a PAC file, so it looks like I am not really using squid as a transparent proxy even though it is configured as one. Now I get it! 

Thanks again,

Vijay


Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

---------------------------------------------
This message was sent using ForeTell-POST 4.9

Reply via email to