On 23/08/17 05:17, David Salisbury wrote:
I've got an install of Squid that I'm trying to get running as an HTTP
and HTTPS proxy. I've got some Squid experience, but up to this point
only using it as an HTTP proxy (transparent, in that case).
I've gotten the HTTPS portion of the proxy working, if I run it in
non-transparent mode; the HTTP portion is working as well. I've
installed the appropriate CA cert on the client machine I'm testing
with, and have pointed the browser of the client machine to the IP and
port of the Squid proxy. Both HTTP and HTTPS work well, and I can
successfully use Squid's ACL functions to whitelist and blacklist
certain sites.
As they should, Good.
BUT, my ultimate goal is transparent mode for the HTTP and HTTPS
:-( "transparent mode", aka interception, aka MITM attack is a feature
of last-resort for handling broken clients.
proxying, and as soon as put Squid in transparent mode and take off the
proxy information of the browser, I start to get certificate errors on
the HTTPS-based sites. HTTP proxying still works fine, but the HTTPS
proxying breaks.
Does anyone have any suggestions as to what to look for that may be
causing that? I don't understand what could break just switching
between non-transparent and transparent modes.
TLS/SSL is explicitly designed to break when being MITM'd. It is called
security. When used properly it *cannot* by MITM'd, sadly most web
traffic does not use it that way.
Are you using SSL-Bump functionality?
If not that is your problem. If you are, what is your config?
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
