the configuration that I am dealing with is a transparent HTTP proxy: on the firewall all the HTTP traffic (port 80) is redirected to the proxy via iptables; Dansguardian is installed on the proxy, and filters the URLs. Reading around the web I realized that if I redirect the HTTPS traffic (port 443) to the proxy too, the users will receive an error when they point to an HTTPS website, is it correct?
The solution I found to solve this problems are:
- I remove the redirect rule on the firewall and the users specify the proxy address in the connection options on their browsers. Do they have to specify a different port for the HTTPS traffic or default port (3128) can be specified for each protocol? Or do I have to specify 'https_port' directive on squid.conf?
- I remove the redirect rule on the firewall and create a configuration file (proxy.pac / wpad.dat); the users specify the URL of this file on their browsers, so it automatically loads proxy configurations.
At this point my question is: why those solutions work with HTTPS traffic and transparent proxying doesn't?
Thank you in advance.
Best Answer
By the time the https traffic arrives at the transparent proxy there's only the IP "visible": not enough information to recreate the connect request and proxy it.
When you set a proxy in your browser (manually, or by proxy.pac) the browser knows to send more info to the proxy about what it wants.
Some proxies can use SNI information to transparently proxy a majority of SSL traffic - and then either domain filter it (from the sni info) or MITM it and do a full filtering job. I work for a supplier of one such filter - Smoothwall (who also employ dansguardian Dan).