5

I want to redirect all HTTP and HTTPS traffic to squid acting as a transparent proxy. This traffic will then be blocked or authorized (in bulk) during certain hours. Specifically I do not want to decrypt/reencrypt HTTPS traffic but push it as it.

The HTTP part works, a REDIRECT rule in shorewall transfers all traffic intended for destination port 80 to the listening 3128 squid port in transparent mode.

The same trick for port 443 does not work.

There are tutorials on how to set up transparent proxy for HTTPS traffic, but all the ones I found describe the creation of a certifcate pair to decrypt/reencrypt the traffic - something I do not want to do.

The squid wiki mentions CONNECT as a way to tunnel HTTPS traffic, but adding http_access allow CONNECT all to the configuration (and disabling the default deny) does not change anything.

Then some previous answers suggest that transparent HTTPS traffing is not possible without breaking the TLS tunnel.

Therefore: is there a way to configure squid so that HTTPS traffic rerouted to it via iptables is then transparently transferred, without any modification?

(I would just eventually block when some time rules are met (this is to say the the block is not going to be based on anything within the HTTPS stream itself))

ivanleoncz
  • 1,643
  • 6
  • 19
  • 32
WoJ
  • 3,607
  • 9
  • 49
  • 79

2 Answers2

4

but all the ones I found describe the creation of a certificate pair to decrypt/re-encrypt the traffic - something I do not want to do.

What you are asking for simply isn't possible because of how the https protocol works. Your options are:

  • Permit outgoing https through your firewall, and don't attempt to use any proxies
  • Configure clients to use your proxy/filter, and they will use HTTP CONNECT calls to the proxy.
  • Setup your proxy to be a man in the middle, and do sslbump.

I would just eventually block when some time rules are met

You can with the correct iptables modules filter based on the time of day. Perhaps you should just handle the time of day filtering in your firewall?

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Thank you. I will probably go for the iptables version (its main drawback is that it is IP and not URL based, so more fiddling). I have a transparent HTTPS proxy at the office, which pushes the traffic without decrypting/reencrypting it (no inspection) so it must be possble, at the firewall level, to do what I am looking for (the traffic would go though a filter as it crosses the fw, this is how it is done on Checkpoint for instance) - but I guess that this ability is not present with uptables/squid (and possibly some bridging) as there is no (obvious at least) information about that. – WoJ May 10 '16 at 08:17
  • guess what. iptables is a firewall. so it should better be able to do what your other firewall thing can do. comparing squid to how a firewall does things is mad. Squid is an HTTP proxy. – Amos Jeffries Sep 28 '16 at 05:41
  • 1
    @AmosJeffries: thank you for your insightful comment. Please have a look at how a Checkpoint firewall does URL filtering (https://sc1.checkpoint.com/documents/R76/CP_R76_AppControl_WebAdmin/60902.htm#o60905). This is indeed mad. – WoJ Jan 07 '17 at 17:48
  • 1
    This squid.conf should allow HTTPS w/ CONNECT (to the specified ports): https://github.com/revsys/optimized-python-docker/blob/master/examples/squid.conf – Wes Turner Dec 03 '17 at 18:47
  • 2
    Does Peek and Splice accomplish this? https://wiki.squid-cache.org/Features/SslPeekAndSplice – Raj Feb 14 '18 at 19:45
1

Two steps:

  1. install redsocks and make configuration to redirect any TCP connection (https connection is based tcp) from the listen port to HTTPS proxy port(HTTP/CONNECT eg. your squid http proxy port)
  2. build iptables with NAT,and redirect all connections to the listen port of redsocks you've set above(you could find examples in redsocks docs)

However, for udp connections, redsocks has poor performance,you could try ss-redir as an alternative(TPROXY kernel module is needed).

傅继晗
  • 151
  • 4