Re: [squid-users] Fwd: MITM SSL content filtering using Dansguardian

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 19 Jun 2013 10:52:52 +1200

On 19/06/2013 6:48 a.m., Deniz Eren wrote:
> Hi;
>
> In previous versions of squid(before v3.3) we used squid for
> intercepting SSL traffic and content filtering it using dansguardian
> and then encrypting it again. Only problem was "Browser SSL Warnings".
> Our network scheme is like below:
>
> Client [HTTPS encrypted] ---> Squid1 (port 3128) [Decrypting HTTPS and
> sending dansguardian HTTP]---> Dansguardian (port 8080) [HTTP
> continued]---> Squid2 (port 3129) [Again encrypting HTTP to HTTPS]--->
> Destination server [Receives HTTPS]
>
> Now after "SSL mimicing" and "Dynamic SSL certificate generation"
> functions added, we wanted to use these features and prevent "Browser
> SSL Warnings". But when we tried using squid 3.3.5 we couldn't do MITM
> trick with squid using dansguardian. So my question is it possible to
> decrypt SSL traffic filter it with dansguardian and after that encrypt
> the traffic again. Or are we trying something which is technically not
> possible with squid v3.3.5?

You can't. Mimicing requires something to mimic, and the plain-HTTP
connections through DansGuardian does not contain SSL.

Consider moving the tasks DansGuardian is performing into Squid and/or
an ICAP service instead.

Amos
Received on Tue Jun 18 2013 - 22:53:11 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 19 2013 - 12:00:04 MDT