4

I want to set up a transparent HTTP/HTTPS proxy to filter outbound requests based on destination hostname (domain). The proxy itself should be non-intrusive and just forward traffic, not decrypt/modify it. In case of HTTPS it should use the TLS SNI extension to extract the hostname without decryption.

Multiple clients will use the proxy to access multiple hosts, therefore the proxy should look up whether a given destination hostname is allowed for the client that made the request.

Is this possible with squid (preferably version 3.3.8)? If so, could you provide a simple example configuration on how to realize it? If not, can you recommend alternatives which are able to do so?

Additional information:

  • server which should run the proxy is an Ubuntu 14.04
  • traffic redirection is covered by another router to a fixed port of that server
  • proxy should use DNS as usual to resolve the destination hostname when forwarding requests

Many thanks!

Cybran
  • 422
  • 2
  • 6
  • 16
  • Using SNI for this purpose would make it easy to bypass the filtering by using a client without SNI support. Filtering based on name in the certificate returned by the server would be a bit harder to bypass. Alternatively you could filter DNS queries rather than HTTP traffic. You could simply return a DNS response with an appropriate error message for unacceptable domains. – kasperd Dec 19 '15 at 15:30
  • 1
    I think this is a great question and should not have been closed. It is very clearly worded and the community will benefit from a solution – Raj Mar 02 '18 at 19:19

1 Answers1

3

What you need is possible with squid starting at version 3.5, because you require feature 'peek-and-splice' introduced in that version. Your action called "peek": http://wiki.squid-cache.org/Features/SslPeekAndSplice .

Use something like:

https_port 3130 intercept ssl-bump
ssl_bump peek all
ssl_bump splice all

intercept makes the proxy transparent.

I am not sure about third requirement (use of DNS names), squid seems to be really transparent in this mode. But it should extract SNI information if it is there.

You could use that information in ACL:

acl aclname ssl::server_name .foo.com ...
Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • peek/splice will not work for this situation because it requires the HTTP CONNECT method on part of the client. This means the proxy is not transparent anymore. – Raj Mar 02 '18 at 19:20
  • 1
    You're simply wrong. See the linked Squid manual page, "Step 1" part "i" has two cases: one for explicit proxy, another for transparent interception proxy. In latter case it internally creates structures in memory like it was explicit "CONNECT", but this doesn't mean the proxy is not transparent. Even you'll see they mention it as "fake CONNECT", what meant that no CONNECT was used by the client. And there are countless references to intercepted connections (for truly transparent proxy). – Nikita Kipriyanov Mar 07 '18 at 10:50
  • 1
    Hi Nikita: Thanks for the comment. Can you point me to an article that shows how to do transparent Squid proxy for HTTPS without MITM? We tried. It didn't work. We had to resort to https://github.com/ac000/sprotly which breaks often. – Raj Mar 08 '18 at 18:11
  • 1
    If I correctly understood what you want, it's the same article. You only splice or stare, without bumping. See configuration example #1, "splice all". You'll be able to see SNI domain names at best (if SNI is being used by client), and it is impossible to deep inspect traffic. – Nikita Kipriyanov Mar 15 '18 at 10:02