Re: [squid-users] newbie: squid does not block https sites on blacklist

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 21 Nov 2013 13:14:16 +1300

On 2013-11-21 12:07, info wrote:
> I'm running centos6 server 64 bit with squid 3.3 as a transparent
> proxy server and I'm using a blacklist.

Your problem starts with the word "transparent".

* CONNECT is a client->proxy request method. It is not supposed to ever
be sent over port 443.

* traffic over port 443 is encryptd from the first bytes onward.
Including any HTTP domain name details. All Squid has is the IP address
and port the client was connecting to.

> I installed squid from the
> tarball with '--enable ssl' and the program starts fine.
> The blacklist is working for http sites but not for https sites. The
> relevant lines I have in squid.conf are:
>
> acl squid-gambling dstdomain -i
> "/etc/squid/blacklists/squid-gambling.acl"
> acl SSL_ports port 443
> http_access deny squid-gambling
> http_access deny CONNECT !SSL_ports
>
> is there a way to verify whether the ssl portion of squid is actually
> working?

Yes. Setup a normal http_port line and configure your browser to use the
proxy explicitly on that port.

> if my config is wrong, can anyone show me the correct method? I've
> searched on google for ages but can't find a solution.

HTTPS (port 443) is designed to be encrypted end-to-end with *no* proxy
middleware supported along the way. There is no correct way to proxy it.
The closest action to "correct" is to firewall it by destination IP.

If it is legal for your location and you are willing to go the distance
there is MITM possiblities on a lot (but not all) of HTTPS traffic using
the ssl-bump feature of Squid.

Amos
Received on Thu Nov 21 2013 - 00:14:20 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 21 2013 - 12:00:06 MST