HTTPS proxy working in non-transparent mode, failing in transparent mode

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTPS proxy working in non-transparent mode, failing in transparent mode

David Salisbury
I've got an install of Squid that I'm trying to get running as an HTTP
and HTTPS proxy.  I've got some Squid experience, but up to this point
only using it as an HTTP proxy (transparent, in that case).

I've gotten the HTTPS portion of the proxy working, if I run it in
non-transparent mode; the HTTP portion is working as well.  I've
installed the appropriate CA cert on the client machine I'm testing
with, and have pointed the browser of the client machine to the IP and
port of the Squid proxy.  Both HTTP and HTTPS work well, and I can
successfully use Squid's ACL functions to whitelist and blacklist
certain sites.

BUT, my ultimate goal is transparent mode for the HTTP and HTTPS
proxying, and as soon as put Squid in transparent mode and take off the
proxy information of the browser, I start to get certificate errors on
the HTTPS-based sites.  HTTP proxying still works fine, but the HTTPS
proxying breaks.

Does anyone have any suggestions as to what to look for that may be
causing that?  I don't understand what could break just switching
between non-transparent and transparent modes.

-David
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS proxy working in non-transparent mode, failing in transparent mode

Amos Jeffries
Administrator
On 23/08/17 05:17, David Salisbury wrote:

> I've got an install of Squid that I'm trying to get running as an HTTP
> and HTTPS proxy.  I've got some Squid experience, but up to this point
> only using it as an HTTP proxy (transparent, in that case).
>
> I've gotten the HTTPS portion of the proxy working, if I run it in
> non-transparent mode; the HTTP portion is working as well.  I've
> installed the appropriate CA cert on the client machine I'm testing
> with, and have pointed the browser of the client machine to the IP and
> port of the Squid proxy.  Both HTTP and HTTPS work well, and I can
> successfully use Squid's ACL functions to whitelist and blacklist
> certain sites.

As they should, Good.

>
> BUT, my ultimate goal is transparent mode for the HTTP and HTTPS

:-( "transparent mode", aka interception, aka MITM attack is a feature
of last-resort for handling broken clients.

> proxying, and as soon as put Squid in transparent mode and take off the
> proxy information of the browser, I start to get certificate errors on
> the HTTPS-based sites.  HTTP proxying still works fine, but the HTTPS
> proxying breaks.
>
> Does anyone have any suggestions as to what to look for that may be
> causing that?  I don't understand what could break just switching
> between non-transparent and transparent modes.

TLS/SSL is explicitly designed to break when being MITM'd. It is called
security. When used properly it *cannot* by MITM'd, sadly most web
traffic does not use it that way.

Are you using SSL-Bump functionality?

If not that is your problem. If you are, what is your config?


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users