On 2013-11-21 12:07, info wrote:
I'm running centos6 server 64 bit with squid 3.3 as a transparent
proxy server and I'm using a blacklist.
Your problem starts with the word "transparent".
* CONNECT is a client->proxy request method. It is not supposed to ever
be sent over port 443.
* traffic over port 443 is encryptd from the first bytes onward.
Including any HTTP domain name details. All Squid has is the IP address
and port the client was connecting to.
I installed squid from the
tarball with '--enable ssl' and the program starts fine.
The blacklist is working for http sites but not for https sites. The
relevant lines I have in squid.conf are:
acl squid-gambling dstdomain -i
"/etc/squid/blacklists/squid-gambling.acl"
acl SSL_ports port 443
http_access deny squid-gambling
http_access deny CONNECT !SSL_ports
is there a way to verify whether the ssl portion of squid is actually
working?
Yes. Setup a normal http_port line and configure your browser to use the
proxy explicitly on that port.
if my config is wrong, can anyone show me the correct method? I've
searched on google for ages but can't find a solution.
HTTPS (port 443) is designed to be encrypted end-to-end with *no* proxy
middleware supported along the way. There is no correct way to proxy it.
The closest action to "correct" is to firewall it by destination IP.
If it is legal for your location and you are willing to go the distance
there is MITM possiblities on a lot (but not all) of HTTPS traffic using
the ssl-bump feature of Squid.
Amos
