Hi. I have Squid Transparent Proxy server running in the network whose function is to filter web traffic including https. Before anything else, i just wish to say that i have already made an extensive search regarding my problem on the web but to no avail. My problem involves https. My squid server could filter http but not https. Below are additional data for your perusal.

Configured Squid to listen on port 3128, 80, 8080, and even 443;

http_port 80
http_port 8080
http_port 3128
http_port 443

* i have added and removed http_port 443 but it doesn't work(i was testing)

Configured iptables to forward ports 80, 8080, 443 to 3128

:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 3128
-A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
COMMIT

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
COMMIT

* i have omitted some entries above


SCENARIO:

I. Using IE7, enabled proxy on Lan settings using ports 443 or 80 or 8080

---> The result is successful; specified http and https sites blocked(e.g https://kproxy.com)

II. Configuring cisco router to forward tcp packets with port nos. of 80 and 443 to my squid server.

---> The result is a failure; http sites block but not https sites.


I have verified that my router is indeed forwarding 443 and if there is any doubt, i even configured the router to forward ALL IP packets to my squid even ICMP but with the same failed result.


I would really appreciate any help on this guys.

Thanks.

Regards

squid only supports being a transparent cache for HTTP, and Not SSL, FTP or anything else. You can forward what ever ports you like towards your squid cache, but only HTTP will be understood, and proxied for you.
bottom line: Squid does not support transparent proxying on SSL

Hi Chitambria,

Thank you for your prompt reply. What type of proxy should i configure to allow https along with http?

Thanks.

This is how the proxy works in terms of HTTPS:
For HTTPS traffic, Proxies implement a special HTTP method: CONNECT, documented in RFC 2817. On receipt of a CONNECT request, the proxy opens a TCP connection to a specified remote server and then simply passes data between the client browser and the remote server without modifying it. The client browser simply transmits its TLS data to the proxy for onward transmission to the remote server. While the proxy has access to all the data, it only sees the encrypted data stream and can do nothing with it. While this is a good thing from a security point of view it also means that none of the (SSL'ed) data can be cached. This is the reason why HTTPS is difficult to proxy.

However, you can still be able to proxy HTTPS by building a CA into your proxy server and tweaking a few things (althought this is not a good idea)
Check: http://offog.org/ideas/https-proxying.html

Hi,

Thanks for the explanation and the link. I have a question though. If i deny CONNECT SSL, shouldn't that preempt any https attempts from any client even though i am running squid as a transparent proxy? I am a bit confused. The Iptable is configured to forward port 443 packets to 3128 and if there is a deny CONNECT SSL rule then the SSL connection will never be forwarded. But even if i denied CONNECT SSL, https still goes through. What is really baffling is that if i manually configure proxy on the browser pointing to my squid even using port 443 on the proxy settings, https is denied. But when i forward it using my router, it doesn't. Isn't it just the same? I mean configuring the browser for proxy basically alters the header of the packet to point to the squid IP address with the corresponding port configured which is exactly the same as if i typed https://kproxy.com in the address box of the browser. I may be mistaken. Do you think using Squidguard would make any difference?

Thanks again.