On 26/01/2012 8:04 a.m., Javier wrote:
Hello ... I have a squid proxy server 3.1 with a single interface and would like to become transparent proxy, but the issue is https traffic, which would have to put in the transparent squid iptables to allow this traffic? is this possible? Sorry for the language
Best practice is to avoid interception (aka "transparent proxy") as much as possible. Difficulty with HTTPS is just one of many problems it creates. Use WPAD (web proxy auto-discovery) instead. It is tranpsarent from the users perspective and avoids *all* the interception problems in one relatively easy setup. http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatic_Configuration
To *allow* the HTTPS traffic you do nothing. It is not sent by iptables to Squid at all unless you make it happen. The regular routing and firewall permit/deny rules control whether clients are allowed to use HTTPS straight to "HTTP Secured" websites.
Browsers and other clients which are aware of the proxy (ie due to WPAD) will send their HTTPS traffic to it in a form which Squid can handle. Possibly using "ssl-bump" to reach inside the encryption if you need it to.
If you are in fact asking how to break in and decrypt the secured traffic with an intercepting proxy. Be aware that SSL part of HTTPS was designed specifically to prevent this type of interception working silently. Current releases of 3.1 can technically decrypt the intercepted SSL arriving at a intercept mode https_port, but at cost of clients getting an ongoing series of SSL security warnings popping up to tell them about your bad behaviour (did I mention its designed not to permit silent decryption?). Squid-3.2 has a dynamic cert generator ability to reduce the warning popups in a lot of situations. But its still not completely silent.
Amos
