You might want to look at http://bugs.squid-cache.org/show_bug.cgi?id=2976. There was a quick-fix which caused even more problems. This is a hard-coded value that causes all requests to be forcibly written to "http" even "https". You can reverse it via this patch http://bugs.squid-cache.org/attachment.cgi?id=2375. It should work. The pain was all mine to debug it ;) -talha On Tue, Apr 24, 2012 at 3:03 PM, Neil <nwilson123@xxxxxxxxx> wrote: > Hi guys and girls, > > I've been trying to setup a "transparent"(from the users side) SSL > interception proxy, I realise this isn't advised as it's breaks SSL and > voids any user privacy etc, but this is for a school that needs to be able > to monitor and control social networking access for students and we've been > asked to come up with a solution. > > The students bring in their own devices IPADS/tablets etc and these get > assigned an IP via DHCP, port 443 and port 80 are then re-directed(using > iptables) to squid. > > I'm using squid(3.1.19) with --enable-ssl and --enable-icap-client as well > as all the usual options, my transparent HTTP proxying works perfectly so > it's only the SSL side that doesn't work the way I've envisaged it would. > EG: the proxy intercepts all SSL traffic and acts as the users PC would > normally, and any certificate errors are hidden from the users device, > because certain apps(apple.com) etc don't allow the users to accept > certificate warnings. > > These are the relevant options from my squid.conf > > http_port 192.168.0.1:8080 intercept ssl-bump > cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.pem > https_port 192.168.0.1:8081 intercept > cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.pem > > always_direct allow all > > acl broken_sites dstdomain .absa.co.za > ssl_bump deny broken_sites > ssl_bump allow all > > # ignore errors with certain cites (very dangerous!) > acl TrustedName url_regex ^https://ib.absa.co.za/ > sslproxy_cert_error allow TrustedName > sslproxy_cert_error deny all > > # ignore certain certificate errors (very dangerous!) > acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH > sslproxy_cert_error allow BadSite > sslproxy_cert_error deny all > > The above might have word wrapped a bit. > > > I've tried varying options like re-directing port 443 to my http_port and > using "transparent" instead of "intercept", using "ssl-bump" on both the > http_port and https_port as well as a whole ton of other options but nothing > seems to make much of a difference. The best I can do is get https facebook > to work transparently, but then I have major problems with most other SSL > sites, the banking sites either complain about "redirecting in a way that > will never finish" or they direct to another page which I'm guessing the > remote webserver picks up some kind of SSL error and doesn't allow you to > get in. As you can see in my config, I've tried to force "absa.co.za" to > work no matter what happens but the ACLs haven't made any difference. > > Please could anyone provide me with some guidance, I seem to be going round > in circles here. > > Thank you. > > Regards. > Neil Wilson. -- Regards, -Ahmed Talha Khan
