Re: [squid-users] HTTPS traffic in normal transparent proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 16 Oct 2008 11:16:53 +1300 (NZDT)

> On ons, 2008-10-15 at 10:23 -0400, viveksnv_at_aol.in wrote:
>> My configuration is...
>>
>> http_port 0.0.0.0:3128 transparent
>>
>> https_port 0.0.0.0:3129 transparent
>> cert=/usr/local/squid-test/CA/servercert.pem
>> key=/usr/local/squid-test/CA/serverkey.pem
>>
>> Iptable rules are:
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT
>> --to-port 3129
>>
>> In cache.log
>>
>> Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128,
>> FD 12.
>> Accepting HTTPS connections at 0.0.0.0, port 3129, FD 13
>>
>> In access.log while accessing https://gmail.com
>>
>> TCP_MISS/200 2213 CONNECT gmail.com:443
>
> This is not a transparently intercepted https request. This browser is
> configured to use the proxy.
>
> The https_port method will only work for transparently intercepted
> requests, not when the browser is configured to use the proxy.
>
> For this to work when the browser is configured to use the proxy you
> need the sslbump feature available in the upcoming 3.1 release.

OR... given its only domain-based blocking you want...

 acl gmail dstdomain .gmail.com
 http_access deny CONNECT gmail

... should be catching these for you.

SslBump is only needed to extract deeper headers, path, accurate protocol,
and content information.

Did you happen to change the default config to say "http_access allow
CONNECT SSL_ports" like some unwary people do? That would break standard
ACL control of CONNECT.

Amos
>
>> But problem is now gmail not blocked...
>>
>> In http://gmail.com requests...it's blocked..
>
> CONNECT requests is subject to the same http_access rules as http
> access. If GET http://gmail.com is blocked but CONNECT gmail.com:443 is
> not then check your access rules. A guess without seeing your ruleset is
> that you are using url_regex instead of dstdomain type acls..
>
> Regards
> Henrik
>
Received on Wed Oct 15 2008 - 22:16:57 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 16 2008 - 12:00:04 MDT