LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 03-06-2009, 11:40 AM   #1
DeepY0X
LQ Newbie
 
Registered: Mar 2009
Posts: 5

Rep: Reputation: 0
https in transparent proxy


Hello, i have a transparent proxy with squid and dansguardian, i can deny pages via http protocol, but i cannot deny pages with https protocol like: https://imo.im, i was reading and i dont find a way to fix this problem, can anybody help me with a solution about it?
 
Old 03-06-2009, 02:24 PM   #2
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi deep,

have you route your https request through your squid proxy?
i mean - on your -t nat PREROUTING chain, have you redirect your https request to squid? (just like redirecting your http).
 
Old 03-06-2009, 03:11 PM   #3
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,234

Rep: Reputation: 132Reputation: 132
if you redirect port 443 to 3128 or proxy listening port, tranparent squid proxy wont handle https(because https is encrypted protocol).are you access internet with proxy setting or without proxy setting on your web browser (actually if you setup transparent proxy you dont need to add proxy setting on web browser)??. I think there are some useful discussion about transparent proxy on this forum
 
Old 03-06-2009, 04:24 PM   #4
huwnet
Member
 
Registered: Jan 2006
Location: England
Distribution: Arch
Posts: 119

Rep: Reputation: Disabled
You'll probably need to ban the IP addresses associated with the domain
 
Old 03-07-2009, 10:06 AM   #5
DeepY0X
LQ Newbie
 
Registered: Mar 2009
Posts: 5

Original Poster
Rep: Reputation: 0
if I ban the ip assocciatedd with domain, it only works with http, 'cause squid or dansguardian dont filter https, when we have a transparent proxy.
 
Old 03-07-2009, 10:08 AM   #6
huwnet
Member
 
Registered: Jan 2006
Location: England
Distribution: Arch
Posts: 119

Rep: Reputation: Disabled
You can always use IP tables to drop the packets at the firewall
 
Old 03-07-2009, 05:38 PM   #7
DeepY0X
LQ Newbie
 
Registered: Mar 2009
Posts: 5

Original Poster
Rep: Reputation: 0
haha, yes, that's right
 
Old 03-07-2009, 10:13 PM   #8
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
@ kirukan,

Quote:
if you redirect port 443 to 3128 or proxy listening port, tranparent squid proxy wont handle https(because https is encrypted protocol)
excuse me, can you point me a legitimate resource about your opinion? or at least have you tried that? (redirecting https to squid)

@ deepyox,

perhaps you can try this

HTH.
 
Old 03-07-2009, 10:36 PM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
rossonieri#1, the Squid FAQ clearly states that it only does transparent proxying for HTTP. Regardless, the only way for Squid (or any other proxy server, for that matter) to achieve an effect similar to transparent proxying for HTTPS is to conduct a man-in-the-middle attack with or without the client's consent. Keep in mind this implies issuing your own digital certificate and getting it accepted by the clients. There are HOWTOs on how to do this with Squid. So yes, kirukan is absolutely correct, simply redirecting port 443 to Squid won't ever work like it does for port 80.

Last edited by win32sux; 03-07-2009 at 10:42 PM.
 
Old 03-07-2009, 10:45 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by huwnet View Post
You can always use IP tables to drop the packets at the firewall
But that would kinda suck, since you'd need to be constantly aware of any changes in IPs for the domain, putting you at risk for false access grants and denials. IMHO, the most effective means to block access to specific HTTPS sites is to stop doing SNAT for port 443 and instead make clients connect to Squid for that. Then it becomes as simple as making a Squid ACL.

Last edited by win32sux; 03-07-2009 at 10:54 PM.
 
Old 03-08-2009, 03:06 AM   #11
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
@ win32sux,

nice catch. ya i know that squid by default doesnt do https transparent proxying (and or any other ports except 80 & 21). Actually i agreed with both you and kirukan in terms default squid https handling - but as you mentioned also actually it can do https transparent proxying by issuing cert on behalf the squid client (or somekind of legitimate MITM).

so, i'll let the audience decide our approach
 
Old 03-09-2009, 02:58 AM   #12
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,234

Rep: Reputation: 132Reputation: 132
Quote:
Originally Posted by rossonieri#1 View Post
it can do https transparent proxying by issuing cert on behalf the squid client (or somekind of legitimate MITM).
rossonieri, please let us know whether there is any common way to allow all https sites by creating ssl certificate in squid on behalf of clients and web server negosiation.
 
Old 03-09-2009, 08:43 AM   #13
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi kirukan

here

HTH.
 
Old 03-09-2009, 02:19 PM   #14
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,234

Rep: Reputation: 132Reputation: 132
yess well, I concern about allowing all https sites in a common way but by this ssl certificate method which is mentioned on squid website is only for known https sites. If we want to allow some specific or known https sites, this method may be suitable. But my point is that i am going to setup a transparent proxy for public. In this situation how does the method can be effective(can we add all https websites one by one?)
It is known fact that in the real world we dont know how many https sties are available. At this instance do u prefer this ssl certificate method??
 
Old 03-09-2009, 02:49 PM   #15
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi kirukan,

that was only an example using some known secure sites as target, but in the real world we take it as https/SSL termination - that is how this SSL & SSL proxying thing works.

why people prefer not to proxy/cache any https/SSL request (currently - after some proxy development) were only on those some SSL termination problem and publishing certs on behalf clients. it indeed took a lot of effort.

secure means you've consciously trusted both end-points (server and client) - so you need to explicitly define which your target domain is. - otherwise, all this secure thing (SSL) will fall off to basic unsecure http connection.

HTH.
 
  


Reply

Tags
dansguardian, https, squid, transparent


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to transparent proxy depam Linux - Software 3 12-30-2005 01:33 PM
Dedicated HTTPS proxy? anybody1234 Linux - Security 16 11-08-2005 11:07 PM
SuSE 9.1 has no HTTPS through our Proxy slacker9876 Linux - Networking 2 05-13-2004 09:13 PM
https proxy (???) aaronluke Linux - Networking 3 09-12-2002 10:35 AM
Squid proxy and https roba Linux - Software 2 08-14-2002 05:15 AM


All times are GMT -5. The time now is 06:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration