Transparent Squid https errer
Dear all,
I have configured squid as transparent proxy. But my users can not access the sites having https. the quick response will highly appreciated. |
Squid basically is an HTTP proxy and hence it would not be possible to intercept the encrypted HTTPS traffic using Squid. It would defeat the purpose of having an encryption.
I am not sure what you have done here to make Squid work in transparent mode. Logically you should use iptables to redirect all the traffic on port 80 to port 3128 (or any other port on which squid is listening). This should not affect port 443 unless you have redirected the HTTPS content as well. And if you have done that, the HTTPS sites obviously will not work. |
do not transparently proxy https. It's really difficiult to get it right, and if you don't appreciate the specific issues involved in proxying SSL encrypted traffic, you'll NEVER get a good solution.
Transparent proxying is NOT the miracle you think it is. configure the clients to explicitly use the proxy, block unproxied web access and have a simple system you can properly understand. |
Quote:
|
Dear Chaitanya and Chris thanks for your response. Transparent proxying is my need to connect my PAM devices users. I am using squid 3.0 precompiled RPM for binding IP with MAC to restrict my users to not change their IP addresses.
Regards. |
Quote:
|
Dear Chris,
I want tell you peoples that i am bound to use transparent proxy, and squid 3.0 to achieve my required goals. You please guide me how to get my desired results i.e. open https sites like gmail etc. |
The best you can do is configure an https_port with transparency on the server. You'll need to create your own certificate to encrypt the connection. This will mean that when a user connects to gmail.com they will get YOUR certificate, and their browser will complain. when they go to facebook.com, they will get YOUR certificate and their browser will complain. It's a sucky solution. You shoudl take pride in your work and get the requirements and limitations changed. this is not a good solution.
as per this lilnk, you can get it working, but it's crap compared to doing a proper job. http://tektab.com/2012/09/28/squid-t...s-ssl-traffic/ |
Actaully, there is some progress on this in 3.2 http://wiki.squid-cache.org/Features/DynamicSslCert
|
Quote:
|
Quote:
|
Dear Chris thanks the link http://tektab.com/2012/09/28/squid-t...s-ssl-traffic/ has done the job. But i am receiving the following error after entering user name and password for my gmail and yahoo email accounts
Connection to 173.194.70.94 failed The system returned:(71) Protocol error the remote host or network may be down. Please try the request again. Regard. |
All times are GMT -5. The time now is 02:52 PM. |