Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-14-2012, 05:29 AM
|
#1
|
LQ Newbie
Registered: Apr 2009
Posts: 15
Rep:
|
Transparent Squid https errer
Dear all,
I have configured squid as transparent proxy. But my users can not access the sites having https.
the quick response will highly appreciated.
|
|
|
12-14-2012, 05:40 AM
|
#2
|
Senior Member
Registered: Apr 2008
Location: Gurgaon, India
Distribution: Cent OS 6/7
Posts: 4,638
Rep: 
|
Squid basically is an HTTP proxy and hence it would not be possible to intercept the encrypted HTTPS traffic using Squid. It would defeat the purpose of having an encryption.
I am not sure what you have done here to make Squid work in transparent mode. Logically you should use iptables to redirect all the traffic on port 80 to port 3128 (or any other port on which squid is listening). This should not affect port 443 unless you have redirected the HTTPS content as well. And if you have done that, the HTTPS sites obviously will not work.
|
|
|
12-14-2012, 05:40 AM
|
#3
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
do not transparently proxy https. It's really difficiult to get it right, and if you don't appreciate the specific issues involved in proxying SSL encrypted traffic, you'll NEVER get a good solution.
Transparent proxying is NOT the miracle you think it is. configure the clients to explicitly use the proxy, block unproxied web access and have a simple system you can properly understand.
|
|
|
12-14-2012, 05:42 AM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Quote:
Originally Posted by linuxlover.chaitanya
Squid basically is an HTTP proxy and hence it would not be possible to intercept the encrypted HTTPS traffic using Squid. It would defeat the purpose of having an encryption.
|
Well it *IS* possible, mostly since Squid 2.6, but it's not just a tick box thing to get going, and is pretty misleading to say it's fully supported. But it's definitely possible with termination and reencryption. If a sysadmin doesn't understand the ins and outs though it's a VERY irresponsible thing to do, including bringing legal issues into the mix.
|
|
|
12-18-2012, 11:22 PM
|
#5
|
LQ Newbie
Registered: Apr 2009
Posts: 15
Original Poster
Rep:
|
Dear Chaitanya and Chris thanks for your response. Transparent proxying is my need to connect my PAM devices users. I am using squid 3.0 precompiled RPM for binding IP with MAC to restrict my users to not change their IP addresses.
Regards.
|
|
|
12-19-2012, 02:30 AM
|
#6
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Quote:
Originally Posted by gulnawaz
Dear Chaitanya and Chris thanks for your response. Transparent proxying is my need to connect my PAM devices users. I am using squid 3.0 precompiled RPM for binding IP with MAC to restrict my users to not change their IP addresses.
Regards.
|
your update doesn't provide any extra relevant information or questions. What kind of further replies are you hoping for?
|
|
|
12-20-2012, 02:52 AM
|
#7
|
LQ Newbie
Registered: Apr 2009
Posts: 15
Original Poster
Rep:
|
Dear Chris,
I want tell you peoples that i am bound to use transparent proxy, and squid 3.0 to achieve my required goals. You please guide me how to get my desired results i.e. open https sites like gmail etc.
|
|
|
12-20-2012, 03:28 AM
|
#8
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
The best you can do is configure an https_port with transparency on the server. You'll need to create your own certificate to encrypt the connection. This will mean that when a user connects to gmail.com they will get YOUR certificate, and their browser will complain. when they go to facebook.com, they will get YOUR certificate and their browser will complain. It's a sucky solution. You shoudl take pride in your work and get the requirements and limitations changed. this is not a good solution.
as per this lilnk, you can get it working, but it's crap compared to doing a proper job. http://tektab.com/2012/09/28/squid-t...s-ssl-traffic/
Last edited by acid_kewpie; 12-20-2012 at 03:29 AM.
|
|
|
12-20-2012, 03:35 AM
|
#9
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
|
|
|
12-24-2012, 07:17 AM
|
#10
|
Senior Member
Registered: Apr 2008
Location: Gurgaon, India
Distribution: Cent OS 6/7
Posts: 4,638
Rep: 
|
Quote:
Originally Posted by acid_kewpie
|
Thanks for link. This does seem very helpful in certain situations. I personally do not like to proxy https traffic though.
|
|
|
12-24-2012, 07:31 AM
|
#11
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Quote:
Originally Posted by linuxlover.chaitanya
Thanks for link. This does seem very helpful in certain situations. I personally do not like to proxy https traffic though.
|
you should DEFINITELY like proxying HTTPS in some ways, why would you possibly not?
|
|
|
01-03-2013, 05:01 AM
|
#12
|
LQ Newbie
Registered: Apr 2009
Posts: 15
Original Poster
Rep:
|
Dear Chris thanks the link http://tektab.com/2012/09/28/squid-t...s-ssl-traffic/ has done the job. But i am receiving the following error after entering user name and password for my gmail and yahoo email accounts
Connection to 173.194.70.94 failed
The system returned  71) Protocol error
the remote host or network may be down. Please try the request again.
Regard.
|
|
|
All times are GMT -5. The time now is 03:57 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|