LinuxQuestions.org - Should/Shoudn't proxy https while transparent proxy

Hi..LinuxGuru,
I am working as Linux Administrator and have to setup squid proxy server in our office. So I googled and could successfully configured the transparent squid3 proxy with this help in personal(home) PC and tested with another PC by connecting cross cable and found everything(http, https, ftp and mail clients) are working fine without browser settings.
But If I do
tail -f /var/log/squid3/access.log
I am getting logs about only http sites but not for https. But if I do browser settings in the client PC then I can see as CONNECT 443 request.
So I just want to clarify these
should I proxy https while transparent proxy setup?
or
should I not proxy https while transparent proxy setup?

Since port 443 is secure, I don't want to proxy https and would like to forward all of 443 request to internet directly. So please help me how can I do with iptables to forward all 443 request that is coming from LAN PCs to internet directly.

Here is my setup.

Code:

proxy server: Ubuntu-11.10(DNS, DHCP and squid3)

internet eth1

IP      192.168.1.2/24

Gateway 192.168.1.1



cat /etc/resolv.conf

search ourinternaldomain.com

nameserver 192.168.0.1



/etc/bind/named.conf.options file is having 192.168.1.1 in the forwarders section



LAN eth0

192.168.0.1/24





Client

IP      192.168.0.100/24

Gateway 192.168.0.1

DNS    192.168.0.1

IPTables rules

Code:

#iptables -L

Chain INPUT (policy DROP)

target    prot opt source              destination        

ACCEPT    all  --  anywhere            anywhere            

ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED 

ACCEPT    all  --  anywhere            anywhere            

LOG        all  --  anywhere            anywhere            LOG level warning 

DROP      all  --  anywhere            anywhere            



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination        

ACCEPT    all  --  anywhere            anywhere            



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination        

ACCEPT    all  --  anywhere            anywhere            

ACCEPT    all  --  anywhere            anywhere  



#iptables -L -t nat

Chain PREROUTING (policy ACCEPT)

target    prot opt source              destination        

DNAT      tcp  --  anywhere            anywhere            tcp dpt:www to:192.168.0.1:3128 

REDIRECT  tcp  --  anywhere            anywhere            tcp dpt:www redir ports 3128 



Chain INPUT (policy ACCEPT)

target    prot opt source              destination        



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination        



Chain POSTROUTING (policy ACCEPT)

target    prot opt source              destination        

MASQUERADE  all  --  anywhere            anywhere 



#iptables -L -t mangle

Chain PREROUTING (policy ACCEPT)

target    prot opt source              destination        



Chain INPUT (policy ACCEPT)

target    prot opt source              destination        



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination        



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination        



Chain POSTROUTING (policy ACCEPT)

target    prot opt source              destination

squid.conf file as below, Please clarify that it should be commented out or not for Safe_ports 443 and SSL 443

Code:

#grep -v "^#" /etc/squid3/squid.conf | sed -e '/^$/d'

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl CONNECT method CONNECT

acl denied_sites dstdomain "/etc/squid3/.denied_sites"

http_access deny denied_sites

acl my_lan src 192.168.0.1/24

http_access allow my_lan

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny all

icp_access allow all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

cache_mem 512 MB

cache_dir ufs /var/spool/squid3 20000 16 256

access_log /var/log/squid3/access.log squid

cache_log /var/log/squid3/cache.log

coredump_dir /var/spool/squid3

refresh_pattern ^ftp:          1440    20%    10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%      0

refresh_pattern .              0      20%    4320

So please guide me how to setup transparent squid3 proxy as that https sites should not proxy and it should directly connect to internet and we should not get any https logs even if we do browser settings in client PC.