[SOLVED] content filter and then bypass https with Squid3
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was wondering if it is possible to perform the following with https request:
1) using squid, perform content filtering using squidguard (meaning allow or block the website)
2) If it is allowed, bypass squid and let the https connection move along without interfere
The reason i want to do this is becase i would like to bypass the https traffic from squid in order to avoid the fuzz of proxying https but at the same time not lose the content filtering
how can you possibly filter content with a service you are not using?!?!
Hello again acid_kewpie
As you can tell i am still messing around with squid and https ... well i was just trying to see if there is any "patent" that can be done.
For instance if squid could perform content filtering..some sort of firewalling a requested URL and if not in blacklist let it pass through...but as far as i understood by your replay my thought is not even logical ... rolf...
how can you possibly filter content with a service you are not using?!?!
One last question
A friend of mine told me, which could be just silly rumors, that PFsense could successfully block any http/https traffic as well as handling properly https connections. Meaning that the user could type..for example, facebook.com and could access the site normally, and if you added facebook as black list it would then block it.
handling properly? what does that mean? PFsense uses squid for web proxying, so there's no special feature in that distro.
What you seem to be defining there is just straight forward ACL config.
I "partially" found my problem & solution"
Squid3 can handle https by creating tunnels with the CONNECT method. When i opened the SSL port on my firewall and added the below (which in most cases is a default) it all worked flawlessly (it also blocks https sites from squidguard imports) !
The reason https CONNECT method was not working was/is because squid3 is "chained" with ziproxy. Squid3 forwards requests to ziproxy so i can have both content filtering and compression hence my new challenge now is how to make this CONNECT method of squid3 to worke wth ziproxy!
you can't. Read up (as I've previously urged you to) about what the CONNECT method is. It permits an encrypted tunnel between the browser and the end server meaning you can not filter the content.
Last edited by acid_kewpie; 10-23-2013 at 06:44 AM.
you can't. Read up (as I've previously urged you to) about what the CONNECT method is. It permits an encrypted tunnel between the browser and the end server meaning you can not filter the content.
Hi acid
i think i am using the wrong terminology since the biggining of the thread.
When i said content filtering i ment the service of squidguard, meaning the service where you filter which URLs should pass from the proxy.
the HOST is all that comes through a CONNECT method. You can filter the site as a whole, but you can't filter the PATH section of the URI, only the HOST.
the HOST is all that comes through a CONNECT method. You can filter the site as a whole, but you can't filter the PATH section of the URI, only the HOST.
do you know if it is possible to configure squid to use chain/request from ziproxy only for non-ssl pages (HTTP) and use CONNECT method without using ziproxy for HTTPS pages?
do you know if it is possible to configure squid to use chain/request from ziproxy only for non-ssl pages (HTTP) and use CONNECT method without using ziproxy for HTTPS pages?
Thanks
Found it! I had to enter the below on my config file:
Squid3 can handle https by creating tunnels with the CONNECT method. When i opened the SSL port on my firewall and added the below (which in most cases is a default) it all worked flawlessly (it also blocks https sites from squidguard imports) !
The reason https CONNECT method was not working was/is because squid3 is "chained" with ziproxy. Squid3 forwards requests to ziproxy so i can have both content filtering and compression hence my new challenge now is how to make this CONNECT method of squid3 to worke wth ziproxy!
Thanks for the assistance
But how you can block any https site. You already allow https request as I am seeing. #http_access allow CONNECT SSL_ports
+++++++++++++
Imtiaz
+++++++++++++
But how you can block any https site. You already allow https request as I am seeing. #http_access allow CONNECT SSL_ports
+++++++++++++
Imtiaz
+++++++++++++
Hi Imtian
I am allowing https connections but prior that i am using squidguard to determine if the URL is in the blacklist, if it is, then it wont get through
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.