Re: Transparent proxy with HTTPS on freebsd

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

nyoman karna wrote:
> nope,
> you can NOT use transparent proxy for HTTPS.
>
> since using transparent proxy for HTTPS
> will be considered as man-in-the-middle attack.
>
> you probably may use PAC (as Amos suggested)
> but IMO it ruin the basic idea of using transparent proxy
> (which is user does not need to put any setting in their browser)

Not quite. WPAD can be used with PAC so users only have 'auto-detect' on 
their browsers. The rest happens 'transparently' in one meaning of the term.

Amos

> --- On Wed, 4/29/09, goody goody <thinkodd@xxxxxxxxx> wrote:
>
> > From: goody goody <thinkodd@xxxxxxxxx>
> > Subject: Re:  Transparent proxy with HTTPS on freebsd
> > To: squid-users@xxxxxxxxxxxxxxx
> > Cc: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
> > Date: Wednesday, April 29, 2009, 7:30 AM
> >
> > Dear Amos,
> >
> > i say http works but https doesn't behind transparent proxy
> > (no proxy details specified in browser) and this is simply I
> > just want to achieve as some sites such as yahoo, gmail use
> > https to connect to.
> >
> > so if you guide my how can i configure squid to allow https
> > sites to connect behind transparent proxy.
> >
> > Further info regarding squid and bsd os is as follows.
> >
> > squid version info
> >
> > Squid Cache: Version 2.5.STABLE10
> > configure options:  --enable-storeio=diskd,ufs
> > --enable-snmp --with-openssl=/opt/ssl '--enable-auth=basic
> > ntlm' --enable-wccp '--enable-removal-policies=heap lru'
> >
> > BSD OS Info
> >
> > FreeBSD XXX 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Fri Mar 30
> > 18:16:33 PKT 2007     root@xxxxxxxxxxxx:/usr/src/sys/i386/compile/BSD-ROUTER 
> > i386
> >
> > an early response would be very much appreciated.
> >
> > Regards,
> >
> >
> > --- On Wed, 4/29/09, Amos Jeffries <squid3@xxxxxxxxxxxxx>
> > wrote:
> >
> > > From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
> > > Subject: Re:  Transparent proxy with
> > HTTPS on freebsd
> > > To: "abdul sami" <sami.memon@xxxxxxxxx>
> > > Cc: squid-users@xxxxxxxxxxxxxxx
> > > Date: Wednesday, April 29, 2009, 1:49 PM
> > > abdul sami wrote:
> > > > Dear all,
> > > >
> > > > subject settings doesn't work when i set the
> > > transparent proxy though
> > > > http traffic works. on analysis of traffic i have
> > come
> > > to know that
> > > > proxy doesn't add it's source address to https
> > traffic
> > > rather simply
> > > > forwards it with local net address to
> > gateway/firewall
> > > device which
> > > > ultimately drops the packets.
> > > >
> > > > any suggestion in shape of steps/article would
> > be
> > > highly appreciated.
> > > > Regards,
> > > Pardon?
> > >   HTTPS being transparently intercepted (miracle
> > #1) and the
> > > users not phoning you about being attacked? (miracle
> > #2).
> > > HTTPS == HTTP via _secure_ SSL.
> > > transparent proxy == man-in-middle network attack on
> > > traffic.
> > >
> > > HTTPS was created to prevent transparent interception
> > > amongst other things. So yes I'm not surprised it
> > won't
> > > work.
> > >
> > > What are you trying to achieve with this?
> > >
> > > Amos
> > > -- Please be using
> > >   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
> > >   Current Beta Squid 3.1.0.7
>
>
>       


--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
  Current Beta Squid 3.1.0.7