Redirect a HTTPS CONNECT using squid

Question

I have deployed squid 3.4.8. It's primary purpose is to redirect users to internal landing pages since no Internet access is permitted or enabled on this network. Instead of letting browsers time out, we want to notify users immediately. I have no problems redirecting HTTP to a landing page (stop.html). The squid proxy listens on 8888. The landing pages listen on 10.5.5.100:8000

How do I redirect all outbound HTTPS requests and redirect them to a landing page? My squid access.log shows the following error for an HTTPS request:

TCP_DENIED/302 321 CONNECT

The relevant squid.conf file is as follows:

acl internaltraffic dst 10.0.0.0/8  #internal traffic only
acl CONNECT method CONNECT
http_access deny CONNECT all
http_access allow internaltraffic
http_access allow localhost
deny_info http://10.5.5.100:8000/stop.html all
deny_info 302:http://10.5.5.100:8000/stop.html CONNECT
http_access deny all
http_port 8888

Answer 1

This probably won't work the way you think it does. You can't just redirect an HTTPS site - you need to "man-in-the-middle" it. This implies either installing a root cert on each system (and compromising their security somewhat so you can read the traffic), or your users getting a warning which they should not be being taught to ignore.

See http://wiki.squid-cache.org/Features/SslBump for specifics on how to do this. (But please don't do it).

In addition, unless you are configuring SQUID as a proxy, (ie you are not using a transparent proxy, which would seem to be the more logical solution), you will need your router to additionally intercept traffic on port 443 and redirect it to the squid server - you will find there is a similar rule for port 80 traffic.

Answer 2

Best way is to create error page on localhost where squid is installed and then edit hosts file to point domains you want to block to localhost.