LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-14-2012, 06:29 AM   #1
gulnawaz
LQ Newbie
 
Registered: Apr 2009
Posts: 15

Rep: Reputation: 0
Transparent Squid https errer


Dear all,

I have configured squid as transparent proxy. But my users can not access the sites having https.
the quick response will highly appreciated.
 
Old 12-14-2012, 06:40 AM   #2
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
Squid basically is an HTTP proxy and hence it would not be possible to intercept the encrypted HTTPS traffic using Squid. It would defeat the purpose of having an encryption.
I am not sure what you have done here to make Squid work in transparent mode. Logically you should use iptables to redirect all the traffic on port 80 to port 3128 (or any other port on which squid is listening). This should not affect port 443 unless you have redirected the HTTPS content as well. And if you have done that, the HTTPS sites obviously will not work.
 
Old 12-14-2012, 06:40 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
do not transparently proxy https. It's really difficiult to get it right, and if you don't appreciate the specific issues involved in proxying SSL encrypted traffic, you'll NEVER get a good solution.

Transparent proxying is NOT the miracle you think it is. configure the clients to explicitly use the proxy, block unproxied web access and have a simple system you can properly understand.
 
Old 12-14-2012, 06:42 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Quote:
Originally Posted by linuxlover.chaitanya View Post
Squid basically is an HTTP proxy and hence it would not be possible to intercept the encrypted HTTPS traffic using Squid. It would defeat the purpose of having an encryption.
Well it *IS* possible, mostly since Squid 2.6, but it's not just a tick box thing to get going, and is pretty misleading to say it's fully supported. But it's definitely possible with termination and reencryption. If a sysadmin doesn't understand the ins and outs though it's a VERY irresponsible thing to do, including bringing legal issues into the mix.
 
Old 12-19-2012, 12:22 AM   #5
gulnawaz
LQ Newbie
 
Registered: Apr 2009
Posts: 15

Original Poster
Rep: Reputation: 0
Dear Chaitanya and Chris thanks for your response. Transparent proxying is my need to connect my PAM devices users. I am using squid 3.0 precompiled RPM for binding IP with MAC to restrict my users to not change their IP addresses.

Regards.
 
Old 12-19-2012, 03:30 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Quote:
Originally Posted by gulnawaz View Post
Dear Chaitanya and Chris thanks for your response. Transparent proxying is my need to connect my PAM devices users. I am using squid 3.0 precompiled RPM for binding IP with MAC to restrict my users to not change their IP addresses.

Regards.
your update doesn't provide any extra relevant information or questions. What kind of further replies are you hoping for?
 
Old 12-20-2012, 03:52 AM   #7
gulnawaz
LQ Newbie
 
Registered: Apr 2009
Posts: 15

Original Poster
Rep: Reputation: 0
Dear Chris,

I want tell you peoples that i am bound to use transparent proxy, and squid 3.0 to achieve my required goals. You please guide me how to get my desired results i.e. open https sites like gmail etc.
 
Old 12-20-2012, 04:28 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
The best you can do is configure an https_port with transparency on the server. You'll need to create your own certificate to encrypt the connection. This will mean that when a user connects to gmail.com they will get YOUR certificate, and their browser will complain. when they go to facebook.com, they will get YOUR certificate and their browser will complain. It's a sucky solution. You shoudl take pride in your work and get the requirements and limitations changed. this is not a good solution.

as per this lilnk, you can get it working, but it's crap compared to doing a proper job. http://tektab.com/2012/09/28/squid-t...s-ssl-traffic/

Last edited by acid_kewpie; 12-20-2012 at 04:29 AM.
 
Old 12-20-2012, 04:35 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Actaully, there is some progress on this in 3.2 http://wiki.squid-cache.org/Features/DynamicSslCert
 
Old 12-24-2012, 08:17 AM   #10
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,629

Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
Actaully, there is some progress on this in 3.2 http://wiki.squid-cache.org/Features/DynamicSslCert
Thanks for link. This does seem very helpful in certain situations. I personally do not like to proxy https traffic though.
 
Old 12-24-2012, 08:31 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Quote:
Originally Posted by linuxlover.chaitanya View Post
Thanks for link. This does seem very helpful in certain situations. I personally do not like to proxy https traffic though.
you should DEFINITELY like proxying HTTPS in some ways, why would you possibly not?
 
Old 01-03-2013, 06:01 AM   #12
gulnawaz
LQ Newbie
 
Registered: Apr 2009
Posts: 15

Original Poster
Rep: Reputation: 0
Dear Chris thanks the link http://tektab.com/2012/09/28/squid-t...s-ssl-traffic/ has done the job. But i am receiving the following error after entering user name and password for my gmail and yahoo email accounts

Connection to 173.194.70.94 failed
The system returned71) Protocol error
the remote host or network may be down. Please try the request again.
Regard.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid: transparent proxy + ssl_bump causing problem in accessing https pages auny87 Linux - Server 0 04-11-2012 08:08 AM
transparent proxy squid: problem with the HTTPS pnguwe Linux - Networking 7 11-22-2011 09:00 AM
Transparent proxy for LAN works, except HTTPS Ulysses_ Linux - Security 1 06-17-2011 11:22 PM
transparent browsing https Ammad Linux - General 3 09-25-2009 06:59 PM
https in transparent proxy DeepY0X Linux - Networking 14 03-09-2009 02:49 PM


All times are GMT -5. The time now is 04:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration