4

What I want to do:
My goal here is to cache data being transmitted over SSL with Squid - not just data transmitted over Http. Users should not be bothered with SSL certificate errors on every Https webpage they touch. Downloading data cached by other students needs to be seamless and painless.

Why I want to do it:
Please take a moment and consider the use case here before you all pummel me with reasons why this is 'against SSL' and all other sorts of atrocities I've read on so many other posts. This setup is intended to make Wifi usage much faster for a small school in a foreign country with internet that isn't very fast. While caching HTTP data is significantly speeding up internet use for the students, there is more and more traffic being sent over SSL that students need quicker access to. In short, it is no longer the case that only email and banking are transmitted over SSL - video content such as Youtube and even installation files are increasingly transmitted via SSL nowadays (e.g. install files for Android Studio, Arduino IDE, Wireshark, FileZilla, etc.).

What I have tried so far:
Set up Squid package 0.4.36_2 in pfSense 2.3.3-RELEASE-p1. Properly set up caching which works flawlessly on Http sites. Created CA in pfSense under 'System' --> 'Cert Manager' Installed SquidGuard using "Shalla's Blacklist" from http://www.shallalist.de, and Whitelisted traffic via all other sources.

  • At this point Everything was working properly - browsing from systems connected via Wifi without any fuss about certificates, and caching of Http data - but caching of HTTPS data would not work.
  • How can this be achieved?
Jaxian
  • 169
  • 3
  • 9
  • Would using the [`ssl-bump`](http://wiki.squid-cache.org/Features/SslBump) option for your _e.g._ [`http_port`](http://www.squid-cache.org/Doc/config/http_port/) directive help? – Castaglia Apr 09 '17 at 16:01

1 Answers1

2

If the thing you are trying to accomplish would be possible without extra effort from clients' part, then SSL would be useless.

One of the most important aspects of SSL is that it guarantees that the endpoint of the connection is really the endpoint the client is trying to connect to. The certificate system guarantees this.

So, if you want to have a transparent SSL proxy implemented with Squid, you need to issue a self-signed certificate for it, and then distribute the certificate to your users so that they can add it to their browsers' trusted certificates list.

This is the only way to avoid the certificate warnings in your users' browsers.

You also need to make it clear to your users that the SSL icon in this case does not really mean that the connection is secure.

If one has the requirement to have a secure end-to-end connection, it makes caching in between impossible.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63