I've got Ubuntu and Squid running on a machine acting as a transparent proxy and a default gateway for many pc's on my network, which means all internet bound activity comes through the interface to be filtered before leaving for the router (192.168.1.1). HTTPS/SSL (443) does not work because packets on port 443 will come in and hit a wall as I have no rules specified for it.
How do I use iptables to create a passthrough for 443 connections?
—————– EDIT ———————–
Managed to get https working after setting the proxy settings for SSL to point to the squid box. However, if I were making a linux router (which I sort of am), would it mean SSL would never work unless I have a proxy running? The IP address for the linux box is 192.168.1.235 and i've set a test computer running winXP to that as its default gateway. Surely there's a way to allow 443 SSL to "pass through" without even touching on the proxy?
I'm also a tad confused as to why https is working at all…I haven't got any sort of routes or anything in the iptables that deal with 443.
Any light shed on this would be greatly appreciated!
Best Answer
You can not transparently proxy HTTPS. When you transparent proxy, clients think they are talking to the remote server. With HTTPS, they will attempt to create an SSL connection, which will authenticate the remote host by comparing the remote certificate to the hostname. This won't work because your squid will not have the right certificate.
You can, however, proxy HTTPS connections, because clients that know how to proxy HTTPS will open a connection to your proxy and issue a CONNECT request, which basically tunnels the connection via the proxy.
The best thing for you to do is to block direct access to port 443 and tell your users that if they want to use HTTPS, they must configure their browser to use the proxy.