Search squid archive

Re: how to configure squid3 transparent web proxy ssl/https? how to block sites using ssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 31/08/2013 4:15 p.m., junio wrote:
staff finished compiling the squid version 3.1 on debian Wheezy with ssl
support (--enable-ssl --enable-ssl-crtd ...), with the main aim of blocking
sites that use this type of connection, but not I have the slightest idea of
how to start the configuration, I have several questions the first one and
if I have to redirect traffic from port 443 to port 3128 with iptables, or
is not necessary?,

That is the part which is called interception. So yes it is required. Although you should *not* be using port 3128 - that is a "well-known" port for forward-proxy traffic.

This configuration (http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat) and all the disclaimers, warnings, troubleshooting still applies.
The differences are:
 * port 443 instead of port 80
 * Squid https_port directive instead of http_port

Also, you need the "ssl-bump" option on the https_port line and ssl_bump directive deterining which traffic can be bumped. That should be adequately defined in http://www.squid-cache.org/Doc/config/ssl_bump/.

That should get you intercepting HTTPS traffic on port 443 - but with popups. I'm not too clear myself on how to configure the dynamic certificate generator which is neccessary to avoid those.

  the second doubt is, what the syntax of new acls?, eg acl
ssl_bump and other podecem would greatly appreciate if you guys send me an
example of the configuration file.

ssl_bump is not an ACL. It is an access control directive ("ACD" if you want to abbreviate)

The syntax for defining all ACLs and access control directives is documented in http://www.squid-cache.org/Doc/config/acl/ and http://wiki.squid-cache.org/SquidFaq/SquidAcl

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux