I am trying to create a internet distribution software for an ISP (an internet distributor or a school or other such organizations) like the one here
It will have restrictions and policies for users to limit bandwidth/speed/duration etc according to their internet connection package. Also, the administrator should be able to monitor their speed and block/allow users and renew packages.
The architecture is like:
Non https client request work fine. But https request are giving SSL_ERROR as expected.
I read Squid cannot handle https connections in transparent proxy mode, but I do not want users to set proxy in their browser every time.
Is there any other way so that we can count all the traffic, including the encrypted traffic, used by a user and shape the traffic accordingly?
Best Answer
This is not a limitation of Squid, it is a limitation of the HTTPS protocol itself. If you try setting up a transparent HTTPS proxy, you invariably would need to break the encryption channel - otherwise the proxy has no way of knowing which web site to load. So you basically choose between
As setting up trusted CA certs on all clients seems more labor-intensive than just setting a HTTPS proxy in the browser settings, it would only make sense if you plan on working with the decrypted data in ACLs or for request/response body checking.