On 17/03/2012 2:27 a.m., guest01 wrote:
Hi guys,
We are currently using our Squid (3.1.x) as transparent HTTP proxy
(with dst nat). We also want to use our Squid as transparent HTTPs
proxy, which works too, despite our Internet research in which we got
many results for "transparent https proxying is not possible". I admit
that there are some issues, but we only want to use it for our guest
lan, not every site has to work. Unforuntately, there are many sites
which start as HTTP-site and redirect to HTTPs before receiving login
credentials (e.g. amazon) or just redirect (e.g.
https://www.juniper.net/customers/csc/). In these situations, my
firefox prints following error message: The page isn't redirecting
properly. It seems Squid can't handle 302 (in transparent https mode?)
https://www.juniper.net/customers/csc/
GET /customers/csc/ HTTP/1.1
Host: www.juniper.net
<snip>
HTTP/1.0 302 Moved Temporarily
Location: https://www.juniper.net/customers/csc/
<snip>
Notice how Squid is not identifying any difference between intercepted
HTTP and decrypted HTTPS.
Can anybody offer a solution or how do you allow HTTPs in your guest
(W)LANs? Direct connection or using proxy-scripts (WPAD,...)?
Add a name=X parameter to your http_port intercept port and use the
myportname ACL type to limit the redirect only to happen on requests
arriving via that port.
That will get the redirects going and then you face the actual blocker
problem...
... when you do HTTPS intercept on a guest how do you intend to
install your local CA on the guest browsers to prevent fake-certificate
warnings on every page load they do?
SSL interception in Squid only supports the environments where the
browsers are configured to trust the local proxies CA. DMZ, Captive
Portals, and residential ISP type networks cannot do it without opening
themselves up to a range of legal issues.
Amos
