Transparent Squid https errer
 

Dear all,

I have configured squid as transparent proxy. But my users can not access the sites having https.
the quick response will highly appreciated.

Squid basically is an HTTP proxy and hence it would not be possible to intercept the encrypted HTTPS traffic using Squid. It would defeat the purpose of having an encryption.
I am not sure what you have done here to make Squid work in transparent mode. Logically you should use iptables to redirect all the traffic on port 80 to port 3128 (or any other port on which squid is listening). This should not affect port 443 unless you have redirected the HTTPS content as well. And if you have done that, the HTTPS sites obviously will not work.

do not transparently proxy https. It's really difficiult to get it right, and if you don't appreciate the specific issues involved in proxying SSL encrypted traffic, you'll NEVER get a good solution.

Transparent proxying is NOT the miracle you think it is. configure the clients to explicitly use the proxy, block unproxied web access and have a simple system you can properly understand.

Well it *IS* possible, mostly since Squid 2.6, but it's not just a tick box thing to get going, and is pretty misleading to say it's fully supported. But it's definitely possible with termination and reencryption. If a sysadmin doesn't understand the ins and outs though it's a VERY irresponsible thing to do, including bringing legal issues into the mix.

Dear Chaitanya and Chris thanks for your response. Transparent proxying is my need to connect my PAM devices users. I am using squid 3.0 precompiled RPM for binding IP with MAC to restrict my users to not change their IP addresses.

Regards.

your update doesn't provide any extra relevant information or questions. What kind of further replies are you hoping for?

Dear Chris,

I want tell you peoples that i am bound to use transparent proxy, and squid 3.0 to achieve my required goals. You please guide me how to get my desired results i.e. open https sites like gmail etc.

The best you can do is configure an https_port with transparency on the server. You'll need to create your own certificate to encrypt the connection. This will mean that when a user connects to gmail.com they will get YOUR certificate, and their browser will complain. when they go to facebook.com, they will get YOUR certificate and their browser will complain. It's a sucky solution. You shoudl take pride in your work and get the requirements and limitations changed. this is not a good solution.

as per this lilnk, you can get it working, but it's crap compared to doing a proper job. http://tektab.com/2012/09/28/squid-t...s-ssl-traffic/

Actaully, there is some progress on this in 3.2 http://wiki.squid-cache.org/Features/DynamicSslCert

Thanks for link. This does seem very helpful in certain situations. I personally do not like to proxy https traffic though.

you should DEFINITELY like proxying HTTPS in some ways, why would you possibly not?

Dear Chris thanks the link http://tektab.com/2012/09/28/squid-t...s-ssl-traffic/ has done the job. But i am receiving the following error after entering user name and password for my gmail and yahoo email accounts

Connection to 173.194.70.94 failed
The system returned:(71) Protocol error
the remote host or network may be down. Please try the request again.
Regard.