Hi guys and girls, I've been trying to setup a "transparent"(from the users side) SSL interception proxy, I realise this isn't advised as it's breaks SSL and voids any user privacy etc, but this is for a school that needs to be able to monitor and control social networking access for students and we've been asked to come up with a solution. The students bring in their own devices IPADS/tablets etc and these get assigned an IP via DHCP, port 443 and port 80 are then re-directed(using iptables) to squid. I'm using squid(3.1.19) with --enable-ssl and --enable-icap-client as well as all the usual options, my transparent HTTP proxying works perfectly so it's only the SSL side that doesn't work the way I've envisaged it would. EG: the proxy intercepts all SSL traffic and acts as the users PC would normally, and any certificate errors are hidden from the users device, because certain apps(apple.com) etc don't allow the users to accept certificate warnings. These are the relevant options from my squid.conf http_port 192.168.0.1:8080 intercept ssl-bump cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.pem https_port 192.168.0.1:8081 intercept cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.pem always_direct allow all acl broken_sites dstdomain .absa.co.za ssl_bump deny broken_sites ssl_bump allow all # ignore errors with certain cites (very dangerous!) acl TrustedName url_regex ^https://ib.absa.co.za/ sslproxy_cert_error allow TrustedName sslproxy_cert_error deny all # ignore certain certificate errors (very dangerous!) acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH sslproxy_cert_error allow BadSite sslproxy_cert_error deny all The above might have word wrapped a bit. I've tried varying options like re-directing port 443 to my http_port and using "transparent" instead of "intercept", using "ssl-bump" on both the http_port and https_port as well as a whole ton of other options but nothing seems to make much of a difference. The best I can do is get https facebook to work transparently, but then I have major problems with most other SSL sites, the banking sites either complain about "redirecting in a way that will never finish" or they direct to another page which I'm guessing the remote webserver picks up some kind of SSL error and doesn't allow you to get in. As you can see in my config, I've tried to force "absa.co.za" to work no matter what happens but the ACLs haven't made any difference. Please could anyone provide me with some guidance, I seem to be going round in circles here. Thank you. Regards. Neil Wilson.
