https in transparent proxy

DeepY0X · 03-06-2009, 11:40 AM

Hello, i have a transparent proxy with squid and dansguardian, i can deny pages via http protocol, but i cannot deny pages with https protocol like: https://imo.im, i was reading and i dont find a way to fix this problem, can anybody help me with a solution about it?

rossonieri#1 · 03-06-2009, 02:24 PM

hi deep,

have you route your https request through your squid proxy?
i mean - on your -t nat PREROUTING chain, have you redirect your https request to squid? (just like redirecting your http).

kirukan · 03-06-2009, 03:11 PM

if you redirect port 443 to 3128 or proxy listening port, tranparent squid proxy wont handle https(because https is encrypted protocol).are you access internet with proxy setting or without proxy setting on your web browser (actually if you setup transparent proxy you dont need to add proxy setting on web browser)??. I think there are some useful discussion about transparent proxy on this forum

huwnet · 03-06-2009, 04:24 PM

You'll probably need to ban the IP addresses associated with the domain

DeepY0X · 03-07-2009, 10:06 AM

if I ban the ip assocciatedd with domain, it only works with http, 'cause squid or dansguardian dont filter https, when we have a transparent proxy.

huwnet · 03-07-2009, 10:08 AM

You can always use IP tables to drop the packets at the firewall

DeepY0X · 03-07-2009, 05:38 PM

haha, yes, that's right

rossonieri#1 · 03-07-2009, 10:13 PM

@ kirukan,

Quote:

if you redirect port 443 to 3128 or proxy listening port, tranparent squid proxy wont handle https(because https is encrypted protocol)

excuse me, can you point me a legitimate resource about your opinion? or at least have you tried that? (redirecting https to squid)

@ deepyox,

perhaps you can try this

HTH.

win32sux · 03-07-2009, 10:36 PM

rossonieri#1, the Squid FAQ clearly states that it only does transparent proxying for HTTP. Regardless, the only way for Squid (or any other proxy server, for that matter) to achieve an effect similar to transparent proxying for HTTPS is to conduct a man-in-the-middle attack with or without the client's consent. Keep in mind this implies issuing your own digital certificate and getting it accepted by the clients. There are HOWTOs on how to do this with Squid. So yes, kirukan is absolutely correct, simply redirecting port 443 to Squid won't ever work like it does for port 80.

win32sux · 03-07-2009, 10:45 PM

Quote:

Originally Posted by huwnet

You can always use IP tables to drop the packets at the firewall

But that would kinda suck, since you'd need to be constantly aware of any changes in IPs for the domain, putting you at risk for false access grants and denials. IMHO, the most effective means to block access to specific HTTPS sites is to stop doing SNAT for port 443 and instead make clients connect to Squid for that. Then it becomes as simple as making a Squid ACL.

rossonieri#1 · 03-08-2009, 03:06 AM

@ win32sux,

nice catch. ya i know that squid by default doesnt do https transparent proxying (and or any other ports except 80 & 21). Actually i agreed with both you and kirukan in terms default squid https handling - but as you mentioned also actually it can do https transparent proxying by issuing cert on behalf the squid client (or somekind of legitimate MITM).

so, i'll let the audience decide our approach

kirukan · 03-09-2009, 02:58 AM

Quote:

Originally Posted by rossonieri#1

it can do https transparent proxying by issuing cert on behalf the squid client (or somekind of legitimate MITM).

rossonieri, please let us know whether there is any common way to allow all https sites by creating ssl certificate in squid on behalf of clients and web server negosiation.

rossonieri#1 · 03-09-2009, 08:43 AM

hi kirukan

here

HTH.

kirukan · 03-09-2009, 02:19 PM

yess well, I concern about allowing all https sites in a common way but by this ssl certificate method which is mentioned on squid website is only for known https sites. If we want to allow some specific or known https sites, this method may be suitable. But my point is that i am going to setup a transparent proxy for public. In this situation how does the method can be effective(can we add all https websites one by one?)
It is known fact that in the real world we dont know how many https sties are available. At this instance do u prefer this ssl certificate method??

rossonieri#1 · 03-09-2009, 02:49 PM

hi kirukan,

that was only an example using some known secure sites as target, but in the real world we take it as https/SSL termination - that is how this SSL & SSL proxying thing works.

why people prefer not to proxy/cache any https/SSL request (currently - after some proxy development) were only on those some SSL termination problem and publishing certs on behalf clients. it indeed took a lot of effort.

secure means you've consciously trusted both end-points (server and client) - so you need to explicitly define which your target domain is. - otherwise, all this secure thing (SSL) will fall off to basic unsecure http connection.

HTH.