Search squid archive

Re: filtering HTTPS sites with transparent child Squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 27/11/17 21:20, Stegner, Martin wrote:

Hi everyone,
I’ve set up a Squid as a transparent child-proxy. Every request is redirected to another Squid with the content filtering add-on e2guardian. I encounter the problem that the transparent child Squid only forwards IP-Addresses to the e2guardian when HTTPS is used and so e2guardian cant filter anything because it can only filter by URL.
A good demonstration of why calling a URL-rewrite helper a "content filter" is completely wrong.
Real content filters receive the actual content and can filter it. ICAP and eCAP exist for that and get passed the decrypted HTTPS messages (if any). 




Here are some parts of the config:

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/cert/squid.pem
ssl_bump splice all          (if I use any other option than splice nothing works for some reason)
Splice tells Squid to not decrypt. Thus no content access on those transactions. 




cache_peer 172.16.0.252 parent 8080 0 default no-query no-digest
Is there any possibility that the transparent child Squid forwards the URL tot he main Squid proxy?
It already is passing what it has. "The" URI of the message being processed happens to be an authority-form URI. see <https://tools.ietf.org/html/rfc7230#section-5.3.3>. 


.. and also;
* Squid requires a secure server connection to deliver decrypted content to. So the cache_peer needs to have the 'ssl' option and be accepting TLS proxy connections to receive anything other than the spliced traffic.
* The CONNECT message has to complete and the TLS inside it decrypted before any URL with "https://"; scheme is known. When bumping to do the decrypt the above criteria applies.
* HTTP/1.1 connections contain many pipelined requests. So there are potentially many https:// URLs involved inside the crypto - it is not possible to know in advance of decryption what those might be. 


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux