On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 6/02/2017 6:10 p.m., Varun Singh wrote: >> Hi, >> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an >> HTTP proxy server in transparent mode. >> I wanted to know whether it can be configured to run as HTTPS proxy >> server without ssl-bump i.e. without 'man in the middle attack' >> technique. > > The Ubuntu package of squid/squid3 can tunnel CONNECT requests. That is > all. It has no support for anything more complicated. > > >> >> I read the documentation page of HTTPS support. It says that when a >> browser comes across an HTTPS website, it opens a TCP tunnel through >> Squid to the origin server using CONNECT reuqest method. >> With this setting the server can filter URLs based on URL scheme, URL >> path and query string. The payload is still encrypted. > > What documentation? it is wrong, or you are misunderstanding it. The URL > path?query is definitely *not* available without decrypting. > > FWIW the squid wiki page on HTTPS documents all three of the > installation types that are all called "HTTPS". > > >> After that the documentation goes on to explain how can we use >> SSL-bump to decrypt the payload. >> >> Now, I only want setup basic HTTPS proxy via CONNECT tunnel in which >> you can only filter URL path and string. I am not looking to setup >> SSL-bump but still want to setup Squid for HTTPS filtering. I'm not >> able to find a good tutorial for that. >> Every tutorial I have found points to setting up SSL-bump. > > Because the only way to access more than hostname/IP and port is to decrypt. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Hi, Please find my reply inline: > What documentation? it is wrong, or you are misunderstanding it. The URL > path?query is definitely *not* available without decrypting. > Correct, I mis-read it. > Because the only way to access more than hostname/IP and port is to decrypt. Okay. In that, case I am okay with only being able to see hostname/IP and port. But whenever I search for setting up HTTPS with Squid, I always come across SSL-bump. Could you point me to a tutorial which perform just basic HTTPS setup? What I have tried so far is, configuring Squid to listen to port 3129 to expect HTTPS traffic. I did this by adding following line to squid.conf: https_port 3129 Once this was done, I redirected all the traffic coming to port 443 to port 3129 using iptables. This is because my clients connect to proxy via VPN. But this had no effect. After connecting clients to proxy, when I try to access an HTTPS website, the clients get no response and nothing shows in access.log file. The browser behaves as if it could not connect to internet. Please note that this setup works perfectly for HTTP requests. Only HTTPS requests give problems. FYI, by documentation I was referring to below link: http://wiki.squid-cache.org/Features/HTTPS -- Regards, Varun _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users