Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am having problems with squid. I am using squid as a transparent proxy where i specify the proxy server and port 3128 on my internet browser. I am able to block http sites effectively, but when it's an https site then it doesn't work. It used to work before, but not it suddenly doesn't.
you can't block https with a transparent proxy by hostname as the hostname is never seen by the proxy in the first instance. You could only block by IP.
Transparent proxies are rubbish. They always seem good at the start, but they are rubbish. make it proxy data correctly and you'll be fine.
Transparent proxy and https don't go together, it just doesn't work http://tldp.org/HOWTO/TransparentProxy-2.html#ss2.3. If you want to use Squid with https you'll have to go with the 'normal' proxy and more, you have to compile Squid with -enable-ssl because the packages installable by package managers don't come with SSL enabled standard.
As I already said, you can't transparent proxy http, as there is no mention of the website being connected to until after the secure connection is established. So unless you terminate and reencrypt the traffic on the proxy, as per EricTRA's comment, there's no way for squid to ever know what site you're trying to connect to. If instead you do a direct proxy connection that the browser is aware of, they will send a "CONNECT www.domain.com:443" request to the proxy asking for a connection to the website, which *can* be filtered just fine.
Thanks acid_kewpie. If i use squid in intercept mode where in my squid box would have two NICs, one connected inside and the other outside, would this be an effective method in filtering http, https, ftp, p2p traffic. If not, could you recommend a more easily managed system to replace the squid.
You seem to keep asking the same question, and I seem to keep answering it. Your "problems" are with the HTTPS protocol, not your choice of software. Squid is an http proxy, and is very good for http/https/ftp. For p2p etc... it's not applicable.
I hope you are as tough in real life as your replies. You see, you keep on telling me what the squid can't do and i keep on asking you, what are my alternatives. You can't seem to offer me any. Why don't you just say you don't know. In your original reply where you said transparent proxies are rubbish, you never said exactly what isn't rubbish.
Squid is not rubbish, it's by far the most prolific web proxy in the history of the internet. it's how you're using it, in a transparent mode, that is rubbish. I'm not offering you alternatives because you don't need alternatives, you need to use squid better.
If you want to use transparent proxy, then where is the use of proxy going to since it has no extra's to offer, no HTTPS, no authentication, just 'hiding' the fact that you have a proxy and cache and accelerate things.
If you really do want a transparent proxy, for whatever your reasons are you can have a look at this: Howto 1 Howto 2
but don't use HTTPS in the same sentence with transparent proxy.
Just follow the advice already given and use Squid better.
Off topic a bit, I'd never seen a mechanism to do auth on transparent proxies either, but where I currentlly work does do this. Whatever bits of tin they are using spoofs an HTTP connection as the desired domain, and demands authentication credentials apparently from that site, but with a description of "internet_authentication". Bit ugly and you end up having stored passwords for each site that you first connect to without a session (and it is of course a bog standard IP based session with timeout, no clever cookie interception possible I don't think). It's fairly ugly and you need to be careful how you use it, but at least once I authenticate in firefox, my tor and yum connections also get permitted through the proxies without configuring them, so that's something of a win.
Wow, that's a first for me. Didn't know that one. But seems that they at least have to set up some security since on a HTTP you can have man-in-the-middle issues very easy. But then again, if they had a need for it, coded it and use it, who am I to point a finger.
Well I would think it's there for people who think that transparency is a good thing.... I was certainly there a few years back, but realised I was wrong before putting the money down. I would doubt that whilst pre-sales would love it, the developers of whatever product it is would not be so boastful after being forced to give in and code a hack as a feature.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.