Linux – Bandwidth Manager Using Squid

bandwidthbandwidth-measuringiptableslinuxsquid

I am trying to create a internet distribution software for an ISP (an internet distributor or a school or other such organizations) like the one here

It will have restrictions and policies for users to limit bandwidth/speed/duration etc according to their internet connection package. Also, the administrator should be able to monitor their speed and block/allow users and renew packages.

The architecture is like:

enter image description here

Non https client request work fine. But https request are giving SSL_ERROR as expected.

I read Squid cannot handle https connections in transparent proxy mode, but I do not want users to set proxy in their browser every time.

Is there any other way so that we can count all the traffic, including the encrypted traffic, used by a user and shape the traffic accordingly?

Best Answer

This is not a limitation of Squid, it is a limitation of the HTTPS protocol itself. If you try setting up a transparent HTTPS proxy, you invariably would need to break the encryption channel - otherwise the proxy has no way of knowing which web site to load. So you basically choose between

  1. setting a HTTP proxy in browsers (which might be done through autodiscovery BTW)
  2. breaking HTTPS security by terminating the encryption channel at your Squid proxy - BumpSSLServerFirst has been written with this in mind. For this to work though, your clients would need to trust the Squid's CA to sign any certificate - it would have to be installed as a trusted root CA on every client.

As setting up trusted CA certs on all clients seems more labor-intensive than just setting a HTTPS proxy in the browser settings, it would only make sense if you plan on working with the decrypted data in ACLs or for request/response body checking.

Related Topic