Hi, Thanks for the fast response. On Fri, Mar 16, 2012 at 3:08 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 17/03/2012 2:27 a.m., guest01 wrote: > >> Can anybody offer a solution or how do you allow HTTPs in your guest >> (W)LANs? Direct connection or using proxy-scripts (WPAD,...)? > > > Add a name=X parameter to your http_port intercept port and use the > myportname ACL type to limit the redirect only to happen on requests > arriving via that port. ok, in my setup I am using the same IP with different Ports: http_port 10.122.125.2:3129 intercept name=transparentHTTPPort https_port 10.122.125.2:3130 intercept cert=/etc/squid/squid.pem name=transparentHTTPsPort acl redirectbehavior myportname transparentHTTPPort And how would I apply the myportname-acl? (Sounds like a noob question, but I could not find helpful documentation) > > That will get the redirects going and then you face the actual blocker > problem... > > ... when you do HTTPS intercept on a guest how do you intend to install > your local CA on the guest browsers to prevent fake-certificate warnings on > every page load they do? > SSL interception in Squid only supports the environments where the browsers > are configured to trust the local proxies CA. DMZ, Captive Portals, and > residential ISP type networks cannot do it without opening themselves up to > a range of legal issues. > We don't because we can't. It is only an internal guest lan mainly for customers or private devices (like smartphones, tablets). Unfortunately, there are some security regulations which prohibit direct HTTPs connections, everything has to be proxified, even non-HTTP-traffic like android market/google play (that's another non-squid related issue) thanks!
