10

I have a transparent proxy setup in Ubuntu 10.04.4 with firehol and tinyproxy that works fine for http but I can't get it to work for https.

Connecting to tinyproxy directly works fine as the following commands complete ok:

env  http_proxy=localhost:8888 curl  http://www.google.com
env https_proxy=localhost:8888 curl https://www.google.com

Http transparent proxying also works fine:

curl  http://www.google.com

but when accessing google directly using https, the command just hangs:

curl  https://www.google.com

Here are the complete config files for firehol and tinyproxy. Note that I have no interest in using firehol for anything but transparent proxying.

firehol.conf:

transparent_proxy "80 443" 8888 proxy
interface any world
   client all accept
   server all accept

tinyproxy.conf (all defaults except upstream proxy):

User    nobody
Group   nogroup
Port    8888
Timeout 600
DefaultErrorFile  "/usr/share/tinyproxy/default.html"
StatFile          "/usr/share/tinyproxy/stats.html"
Logfile           "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile           "/var/run/tinyproxy/tinyproxy.pid"
MaxClients     100
MinSpareServers  5
MaxSpareServers 20
StartServers    10
MaxRequestsPerChild 0
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
upstream corporate.fire.wall:8080
Stefan Farestam
  • 203
  • 1
  • 2
  • 5
  • Another option here is writing some code in Go to do the same. `NewSingleHostReverseProxy` in the stdlib does what you want, and you can always modify it if you want to proxy to multiple. – 1110101001 Jan 09 '23 at 01:40

1 Answers1

13

As far as I can tell tinyproxy simply does not support incoming HTTPS connections. It will permit you to access HTTPS sites by using the CONNECT method, but for that to be used, the browser/client must know that it is talking to a proxy server, and use the correct connection methods.

The ConnectPort directives simply defines which ports it is permissible to make connections to.

The only FOSS product that supports transparently proxying HTTPS connection is Squid, and the support for that is relatively recent. In also introduces some pretty major security concerns since a transparent HTTPS proxy has to perform a man-in-the-middle attack and decrypt the connection so that it knows what to connect to.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • That makes sense. After investigating, it appears that you are correct and squid is the way to go. There is no backport of 3.1 with ssl/https support available for Ubuntu 10.04 (lucid) so custom compile is required. I'll try this out. Thanks! – Stefan Farestam Nov 10 '12 at 19:42
  • With Squid version 3.5 it is now possible to use "peek and splice" feature to implement HTTPS proxy without doing man-in-the-middle (http://wiki.squid-cache.org/Features/SslPeekAndSplice). – Rafał Krypa Feb 14 '17 at 09:39
  • Transparent https indeed not supported by Tinyproxy: https://github.com/tinyproxy/tinyproxy/issues/88 – Jean Monet Nov 03 '21 at 22:34
  • Wouldn't `mitmproxy` work as an https proxy solution? It's designed for this purpose. No matter what solution you use, you will have to add a custom cert to your root store. – 1110101001 Jan 08 '23 at 07:31
  • @1110101001 haven't tried that, but it seems likely that it could work . No idea if mitmporxy would have met the other requirements the OP might have had ~11 years ago. – Zoredache Jan 08 '23 at 07:57