Transparent proxy and HTTPS with squid

httpsman-in-the-middlesquidtransparent-proxy

Is is possibile to use a transparent proxy to filter some domains without a man-in-the-middle approach? I would like to guarantee the certificate verification and user privacy, by other hand, I want to deny connection to some domain.

Is it possibile with a transparent proxy?
Is it possibile with squid3?

Best Answer

A transparent proxy, by definition, sits man-in-the-middle. The client is unaware that the proxy exists and sends its requests to SSL-based sites as TCP SYNs to destination port 443.

If you specify the proxy explicitly the client will use the CONNECT verb (since it knows there's a proxy being used), which Squid access control lists (ACLs) can act upon.

No transparent proxy can reliably apply access control without doing man-in-the-middle. The best you can hope for would be acting upon the destination IP address which, frankly, will just give you headaches because you'll need to constantly maintain the list of IPs.

Related Solutions

Setting Up a Transparent SSL Proxy – Step-by-Step Guide

The issues you're seeing are the same that prevent the use of multiple certificates on a single IP address/port (without using Server Name Indication).

In plain HTTP, your transparent proxy can tell which host the client wants to connect to by looking into the Host header.

When the HTTPS MITM transparent proxy gets the request, it can't know which host name the client was requesting in the first place. (I'm not even sure it can get the IP address with these rules, which might at least have allowed it to make a guess using a reverse DNS lookup, even though it's unlikely to work in the general case.)

In order to get the expected host name, the MITM proxy would have to read the Host header in the HTTP message, which can only occur after a successful handshake.
In order to have a successful handshake, the MITM proxy needs to generate a spoof certificate matching the expected hostname.

As a result, the MITM proxy can't know which certificate to generate before the handshake.

This can work with a non-transparent MITM proxy, because you would at least get the intended host name via the HTTP CONNECT method.

Ssl – Squid, WCCP and Transparent HTTPS

Yes there is a way to do https WCCP redirection without MITM. You have to force Squid not to ssl-bump incoming SSL traffic.

ssl_bump none all

HOpe that helps. I have a complete article here that goes into WCCP redirection using a Cisco ASA including both http and https. Web SSL Proxy redirection using WCCP Ccisco ASA and Squid 3.4+

Best Answer

Related Solutions

Setting Up a Transparent SSL Proxy – Step-by-Step Guide

Ssl – Squid, WCCP and Transparent HTTPS

Related Topic