Greetings

I am facing an issue here and i am a bit confused.

I have setup a web proxy server using squid3. All works well apart from the fact that https pages cannot be displayed. After some googling i found out that in order to proxy https request you have to do some sort of MiTM implementation which is too much fuzz.

Is there a way to just forward the https requests to their destination without any interferance by squid3?

I mean, how does all other web proxies in the world deal with this https issue?

Thanks

What you appear to want is the default behaviour for squid:

http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid

the entry says that if you are not on an SSL port, ie..g 443 by default, then you can not use the HTTP CONNECT method, which is how a client requests HTTPS access to a remote site explicitly from a proxy. The later line would then permit that access if you ARE requesting a CONNECT on port 443 from an IP address defined in the localnet ACL.

The most likely reason that springs to mind for why you might be having trouble is if you're trying to use squid transparently? If so, it's much much harder, hence the mitm stuff. Don't do it transparently if you can avoid it.

1 members found this post helpful.

Thanks for acid

I do get your point .. but what i am thinking to do is slightly more complecated, i wouldnt mind a tough solution but at least i am trying to find one.


i have:

---------------LAN-----------------

---------------------------------------------------------------------
| clients|---------->|Mikrotik|----------->| Linux-Squid sever|
---------------------------------------------------------------------



Mikrotik works as the gateway and as trasparent proxy for the clients. It is configured to use the Linux-squid as a proxy.

My problem is that squid does the content filtering hence if i set Mikrotik to bypass https and not forward connections the i will lose the content filtering on the https pages .

Any help would be really much appriciated!

Well there's the "t" word as feared... but you have... two proxies here? Whatever the router can do it transparent but squid is not? That sounds messy. is the router proxying? or just redirecting the raw TCP traffic?

Ditch transparency and everything will get MUCH easier and nicer and simpler. If you have issues about configuring clients to explicitly use a proxy, then there are plenty of centralised options available like a proxy.pac or wpad.dat file hosted on an internal web server.

The router and the clients are on the same lan..the Linux Squid proxy is on the WAN.
Yes the router is configured to proxy with the Squid proxy as its parent. The reason i used the router (appart from the fact that it performs the hotspot functions) is so i can do the proxying transparently ... I mean how could i provide trasparent proxying if my proxy is outside the LAN where the clients reside ?

So, i proxy all the traffic from the LAN towards the squid server and from there i do content filtering but if i set the router to bypass the https then i dont have content filtering.

Now i am thinking of it again...there isnt any solution to this... isnt it?

No there isn't. If you want to analyse the content of HTTPS traffic, you must be able to decrypt it - which of course involves proxying the SSL component (MITM).

Well .. i am not actually going to do anything with the content, its just that squid uses blacklists in order to block specific pages

Yes there is a solution. Stop doing things transparently. Or do an ugly MITM thing. They are both genuine solutions.

You ARE doing things with the content, HTTP headers ARE content here.

1 members found this post helpful.

Yes you are right...I assume you mean configure the clients to use the squid proxy correct?

yes, but as above there are ways to simplify this considerably if you have a lot of clients.

Thanks for the "consulting" acid_kewpie!