Re: [squid-users] why squid can block https when i point my browser to port , and cant when its transparent ? from Alex Crow on 2014-07-27 (squid-users)

From: Alex Crow <alex_at_nanogherkin.com>
Date: Sun, 27 Jul 2014 18:15:18 +0100

On 27/07/14 16:00, Dr.x wrote:
> hi all ,
>
> i have 2 questions.
>
>
> 1- why when i make a normal squid with normal http port , and i direct my
> browser to ip/port it can block https facebook

Because the browser is aware of the cache and issues CONNECT requests
for SSL sites. Squid can see these and block them,

>
>
> while
> if it was transparent proxy it cant block https facebook ??

You can't use CONNECT with a transparent proxy as it implies the client
has been configured with a proxy (which would not be transparent).

>
> im talking about im configuraing normal http proxy not https !
>
> wish a clarification.
>
>
> 2-now if i use ssl pump and used transparent tproxy with https ... can i buy
> a trusted certificate and install it on squid and the users will not face
> "certificate not trusted" message ?

NO! This is about the 3rd or 4th time this question has appeared on this
list. You can't use a cert from a commercial provider because you need
the cert's private key to produce new certs signed by it (which the cert
provider will not give you in a million years). If this worked it would
make SSL useless.

>
>
> i mean , in production network with much users , i need to block https
> youtube/facebook while keep using transparent tproxy.
>

You need to create your own CA, import the CA cert into your client
browsers (which will get rid of the warning) and use the key to do
dynamic cert generation in squid. Then it is possible to do either WPAD
based browser config, or, I think (harder) do TPROXY with bumping.

NB unless you can import your own CA cert into all client browsers you
*WILL* get certificate validation failures in the browser.

Cheers

Alex

>
> with to help
>
> regards
>
>
>
> -----
> Dr.x
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/why-squid-can-block-https-when-i-point-my-browser-to-port-and-cant-when-its-transparent-tp4667069.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Sun Jul 27 2014 - 17:15:25 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 28 2014 - 12:00:05 MDT