True
HTTPS might be intercepted but there is no way to decode the content which page nor which picture was sent. If it is used as transparent proxy you probably cant even get out which server to connect to. So it probably wont work with squid only if(most likely not) it is using some kind of mechanism to extract original destination from socket.
You can only get or make rules about: bytes sent, bytes received, source ip, source port, destination ip.
But i think you need completely different proxy.
Marko
--- On Tue, 11/10/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> From: Amos Jeffries <squid3_at_treenet.co.nz>
> Subject: Re: [squid-users] Squid3-Debian Lenny Transparent proxy not working with HTTPS
> To: squid-users_at_squid-cache.org
> Date: Tuesday, November 10, 2009, 11:32 PM
> On Tue, 10 Nov 2009 10:21:04 -0500,
> "John Czerwinski"
> <JohnCzerwinski_at_air-watch.com>
> wrote:
> > I have configured a Squid3 proxy server on Debian
> using WCCP to a Cisco
> > 2821 router (via GRE tunnel). Regular HTTP traffic
> works just fine.
> > Anytime I try to connect to HTTPS, it times out.
>
> Open port 443 on the firewall to let HTTPS out.
>
> HTTPS cannot be intercepted. It was created as a security
> protocol
> explicitly to prevent interception attacks on network
> traffic (aka WCCP,
> NAT interception, wire tapping, etc).
>
> >
> > I've compiled Squid with --enable-ssl.
>
> This merely lets Squid use SSL operations when clients
> explicitly
> configured to use the proxy request it to make https://
> connections. It
> also enables TLS in some auth helpers. It's of very little
> use in a purely
> intercepting proxy.
>
> >
> > The squid configuration is as follows:
> >
> >
> >
> ####################################################################
> > # Squid3 Configuration
> > #
> > #
> > #
> > # Cisco Router at 10.50.40.1
> > # GRE tunnel to Ciso Router at 10.50.1.1
> > #
> > # Local Squid3 server
> > # name: wwifi-atl-squid1
> > #
> IP: 10.50.40.100
> > # WCCPv2 (Transparent mode)
> > #
> >
> ####################################################################
> > visible_hostname wwifi-atl-squid1
> > # cache_effective_user squid squid
> > http_port 10.50.40.100:3128 transparent
>
> Not a good idea. It's better security to have the port
> number being
> something random that only you, Squid and the Squid box
> firewall know.
>
> The private port may also be firewalled in the mangle table
> INPUT chain to
> prevent people connecting directly to it from outside.
>
>
> > acl QUERY urlpath_regex cgi-bin \?
> > cache deny QUERY
>
> Drop the above.
>
> > acl apache rep_header Server ^Apache
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
>
> Add here:
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> > refresh_pattern . 0 20% 4320
> >
> >
> >
> >
> >
> > # Access Control List Definitions
> > acl localnet src 10.50.10.0/24 10.50.20.0/24
> 10.50.30.0/24 10.50.40.0/24
> > 10.50.100.0/24 10.50.201.0/24
> >
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
>
> Add here:
> acl to_localhost dst 0.0.0.0/8
>
> > acl SSL_ports port 443 563
> # https,
> snews
> > acl SSL_ports port 873
> #
> rsync
> > acl Safe_ports port 80
> #
> http
> > acl Safe_ports port 21
> #
> ftp
> > acl Safe_ports port 443 563
> # https, snews
> > acl Safe_ports port 70
> #
> gopher
> > acl Safe_ports port 210
> #
> wais
> > acl Safe_ports port 1025-65535
> # unregistered
> ports
> > acl Safe_ports port 280
> #
> http-mgmt
> > acl Safe_ports port 488
> #
> gss-http
> > acl Safe_ports port 591
> #
> filemaker
> > acl Safe_ports port 777
> #
> multiling http
> > acl Safe_ports port 631
> #
> cups
> > acl Safe_ports port 873
> #
> rsync
> > acl Safe_ports port 901
> #
> SWAT
> > acl purge method PURGE
>
> Unless you are actually using PURGE its best not to define
> it. Simply
> doing the above turns on all the PURGE handling components
> and makes Squid
> hold extra cache indexes etc, wasting a lot of memory.
>
> > acl CONNECT method CONNECT
> >
> > # http allows/denies
> > always_direct allow all
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access allow localnet
> > http_reply_access allow all
> > icp_access allow all
> >
>
> Amos
>
Received on Wed Nov 11 2009 - 16:13:24 MST
This archive was generated by hypermail 2.2.0 : Wed Nov 11 2009 - 12:00:03 MST