I think "Blocking HTTPS-based sites" needs to be added to the FAQ: Blocking HTTP is easy because the HTTP protocol has well-defined response codes to do this. HTTPS actually is SSL-wrapped HTTP and SSL does not allow any kind of interference, redirection or manipulation and cannot be blocked like HTTP is blocked. You might say "but we have sslbump!" Sslbump is a man-in-the-middle attack which can be masqueraded by added a fake root certificate to all browsers. The downside is that the HTTPS sites are not secure any more since the Squid administrator has access to the decrypted content when Sslbump is enabled. So SSL has a benefit and a security issue. It is up to you to decide whether Sslbump is appropriate for your environment or not. Sslbump in Squid 3.2 brakes Skype and other protocols using port 443, but I do not know for sure if this is still the case for version 3.3 or 3.4. Having said all this, HTTPS *can* be blocked, but not as elegantly as HTTP can be blocked. When a HTTPS URL is redirected or the network connection between the browser and Squid is terminated, the URL is effectively blocked and the end user has a vague message in the browser like "cannot connect to server/proxy". ufdbGuard, an alternative for squidGuard, by default redirects a blocked HTTPS URL to https://blockedhttps.urlfilterdb.com which has a valid SSL certificate and therefore normally gives a slightly more comprehensible message "I do not trust the SSL certificate" error in the browser of the end user. The fact that the new URL is "blockedhttps.urlfilterdb.com", is a hint to the end user what is going on. In case that the end user ignores the SSL certificate warning, the end user will see a readable "Forbidden" message. Note that the issue with blocking HTTPS-based sites is true for _all_ web proxies simply because SSL does not allow redirects. Marcus On 10/18/2013 05:20 PM, Derek Pinkston wrote:
Maybe someone can answer this for me so I can definitively determine if Squid is still right for us. We have used squid and squidguard for years to block sites for parts of our company and restrict total access for other parts. However now that more and more sites are using https by default, the users who should not be surfing the internet are surfing through https... I thought that the newest versions of squid would easily remedy this, but so far that does not seem to be the case. Can squid+squid guard monitor and block https traffic without having to install certs on individual computers/browsers? I want this to be as un-intrusive as our previous setup was. I thought I read it was possible but I'm having an impossible time finding an article or wiki or anything that will tell you exactly how to accomplish this. Can anyone please help or suggest something that may work for my situation.
