Transparent proxy for WiFi users

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Transparent proxy for WiFi users

Roberto Carna
Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
in order to filter HTTP and HTTPS web content for different types of
WiFi clients on my company:

- Android (different versions)
- Notebooks Windows 7/10
- Iphone
- Etc.

In some cases, depending on the device Operating System, some apps
experiment problems, for example Facebook and some others.

Which is the best solution in order to setup a TRANSPARENT proxy
service in a heterogeneous scenario with diferenbt types of devices,
and running in the best mode with the minimum number of problems???

Or do I have to move to a scenario with a defined proxy in another
server, and automatically established in clients with DHCP ???

Thanks a lot,

Roberto
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy for WiFi users

Amos Jeffries
Administrator
On 03/01/18 02:48, Roberto Carna wrote:

> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
> in order to filter HTTP and HTTPS web content for different types of
> WiFi clients on my company:
>
> - Android (different versions)
> - Notebooks Windows 7/10
> - Iphone
> - Etc.
>
> In some cases, depending on the device Operating System, some apps
> experiment problems, for example Facebook and some others.

The main cause of these problems is that when the same vendor is
authoring both the server software and the client "app" (or client
device OS). They can (and often do) hard-code TLS certificate checks
into their client code to detect and immediately fail in the presence of
MITM in the encryption.

Following that, SSL-Bump is still very much an ongoing project.
Selecting even a slightly older Squid version can lead to TLS features
not being supported. So when problems occur the best option is still to
upgrade to the very latest release before debugging further - today that
would be squid-4.0.22 beta.


>
> Which is the best solution in order to setup a TRANSPARENT proxy
> service in a heterogeneous scenario with diferenbt types of devices,
> and running in the best mode with the minimum number of problems???

The _only_ solution is not to decrypt such traffic (the splice action).
How you determine which traffic is having such special trust given to it
is up to you. The TLS SNI is provided by the peek action at SSL-Bump step 1.


>
> Or do I have to move to a scenario with a defined proxy in another
> server, and automatically established in clients with DHCP ???
>

Explicit proxy is definitely better for HTTP than interception proxy.
That is true regardless of what else is going on. So worth doing *if*
you can.

That said, it is also unlikely to help much with the problem you are
facing. Perhapse a small gain for clients not sending TLS SNI values -
otherwise no change can be expected.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy for WiFi users

Yuri Voinov

03.01.2018 02:13, Amos Jeffries пишет:

> On 03/01/18 02:48, Roberto Carna wrote:
>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
>> in order to filter HTTP and HTTPS web content for different types of
>> WiFi clients on my company:
>>
>> - Android (different versions)
>> - Notebooks Windows 7/10
>> - Iphone
>> - Etc.
>>
>> In some cases, depending on the device Operating System, some apps
>> experiment problems, for example Facebook and some others.
>
> The main cause of these problems is that when the same vendor is
> authoring both the server software and the client "app" (or client
> device OS). They can (and often do) hard-code TLS certificate checks
> into their client code to detect and immediately fail in the presence
> of MITM in the encryption.
>
> Following that, SSL-Bump is still very much an ongoing project.
> Selecting even a slightly older Squid version can lead to TLS features
> not being supported. So when problems occur the best option is still
> to upgrade to the very latest release before debugging further - today
> that would be squid-4.0.22 beta.
>
>
>>
>> Which is the best solution in order to setup a TRANSPARENT proxy
>> service in a heterogeneous scenario with diferenbt types of devices,
>> and running in the best mode with the minimum number of problems???
>
> The _only_ solution is not to decrypt such traffic (the splice
> action). How you determine which traffic is having such special trust
> given to it is up to you. The TLS SNI is provided by the peek action
> at SSL-Bump step 1.
Well, you can do it when you want. For example, take a look (for example):

https://stackoverflow.com/questions/4461360/how-to-install-trusted-ca-certificate-on-android-device

or on this:

http://wiki.cacert.org/FAQ/ImportRootCert

Or, in your case,  you can differentiate users by, for example, by
network and pass wifi users to splice rule. Much approaches exists.

>
>
>>
>> Or do I have to move to a scenario with a defined proxy in another
>> server, and automatically established in clients with DHCP ???
>>
>
> Explicit proxy is definitely better for HTTP than interception proxy.
> That is true regardless of what else is going on. So worth doing *if*
> you can.
Oh, really? You have forgotten about beatiful 252 option in DHCP, about
WCCP interception, and such other good things. In other world,
transparent interception requires just more experienced sysadmin. This
simple requires more experience with squid, LAN equipement, and a bit
more work. So, "definitely better" is very discussable statement.

>
> That said, it is also unlikely to help much with the problem you are
> facing. Perhapse a small gain for clients not sending TLS SNI values -
> otherwise no change can be expected.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
*****************************
* C++20 : Bug to the future *
*****************************

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent proxy for WiFi users

Amos Jeffries
Administrator
On 03/01/18 10:15, Yuri wrote:

>
> 03.01.2018 02:13, Amos Jeffries пишет:
>> On 03/01/18 02:48, Roberto Carna wrote:
>>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
>>> in order to filter HTTP and HTTPS web content for different types of
>>> WiFi clients on my company:
>>>
>>> - Android (different versions)
>>> - Notebooks Windows 7/10
>>> - Iphone
>>> - Etc.
>>>
>>> In some cases, depending on the device Operating System, some apps
>>> experiment problems, for example Facebook and some others.
>>
>> The main cause of these problems is that when the same vendor is
>> authoring both the server software and the client "app" (or client
>> device OS). They can (and often do) hard-code TLS certificate checks
>> into their client code to detect and immediately fail in the presence
>> of MITM in the encryption.
>>
>> Following that, SSL-Bump is still very much an ongoing project.
>> Selecting even a slightly older Squid version can lead to TLS features
>> not being supported. So when problems occur the best option is still
>> to upgrade to the very latest release before debugging further - today
>> that would be squid-4.0.22 beta.
>>
>>
>>>
>>> Which is the best solution in order to setup a TRANSPARENT proxy
>>> service in a heterogeneous scenario with diferenbt types of devices,
>>> and running in the best mode with the minimum number of problems???
>>
>> The _only_ solution is not to decrypt such traffic (the splice
>> action). How you determine which traffic is having such special trust
>> given to it is up to you. The TLS SNI is provided by the peek action
>> at SSL-Bump step 1.
> Well, you can do it when you want. For example, take a look (for example):
>
> https://stackoverflow.com/questions/4461360/how-to-install-trusted-ca-certificate-on-android-device
>
> or on this:
>
> http://wiki.cacert.org/FAQ/ImportRootCert
>
> Or, in your case,  you can differentiate users by, for example, by
> network and pass wifi users to splice rule. Much approaches exists.

NP: none of which work when the application is checking the fingerprint
of the CA certificate against a hard-coded value defined by the vendor.
These are simply ways to make the SSL-Bumping process work without
"untrusted CA" warnings *if* bumping is already possible.

>>
>>>
>>> Or do I have to move to a scenario with a defined proxy in another
>>> server, and automatically established in clients with DHCP ???
>>>
>>
>> Explicit proxy is definitely better for HTTP than interception proxy.
>> That is true regardless of what else is going on. So worth doing *if*
>> you can.
> Oh, really? You have forgotten about beatiful 252 option in DHCP, about
> WCCP interception, and such other good things. In other world,

No, I am not.

DHCP, WPAD/PAC, and such are just ways to auto-configure explicit proxy
*not* interception proxy.

WCCP is just a way to tunnel packets to the proxy machine. Explicit
proxy does not require that additional tunnel complexity.
  If you combine WCCP with interception it becomes "interception proxy",
not "explicit proxy".


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users