How do I use IPTABLES to create a HTTPS (443) passthrough around Squid?

https passthrough linux ssl iptables
6,885

You can not transparently proxy HTTPS. When you transparent proxy, clients think they are talking to the remote server. With HTTPS, they will attempt to create an SSL connection, which will authenticate the remote host by comparing the remote certificate to the hostname. This won't work because your squid will not have the right certificate.

You can, however, proxy HTTPS connections, because clients that know how to proxy HTTPS will open a connection to your proxy and issue a CONNECT request, which basically tunnels the connection via the proxy.

The best thing for you to do is to block direct access to port 443 and tell your users that if they want to use HTTPS, they must configure their browser to use the proxy.

Share:
6,885

Related videos on Youtube

atomicharri
Author by

atomicharri

Just Me.

Updated on September 17, 2022

Comments

  • atomicharri
    atomicharri almost 2 years

    I've got Ubuntu and Squid running on a machine acting as a transparent proxy and a default gateway for many pc's on my network, which means all internet bound activity comes through the interface to be filtered before leaving for the router (192.168.1.1). HTTPS/SSL (443) does not work because packets on port 443 will come in and hit a wall as I have no rules specified for it.

    How do I use iptables to create a passthrough for 443 connections?

    ----------------- EDIT -----------------------

    Managed to get https working after setting the proxy settings for SSL to point to the squid box. However, if I were making a linux router (which I sort of am), would it mean SSL would never work unless I have a proxy running? The IP address for the linux box is 192.168.1.235 and i've set a test computer running winXP to that as its default gateway. Surely there's a way to allow 443 SSL to "pass through" without even touching on the proxy?

    I'm also a tad confused as to why https is working at all...I haven't got any sort of routes or anything in the iptables that deal with 443. Any light shed on this would be greatly appreciated!

  • atomicharri
    atomicharri over 14 years
    nope! I only have eth0 set up as the box only has a single ethernet connection how do i set up the accept chain?
  • Sam Halicke
    Sam Halicke over 14 years
    See David's comment below. I completely forgot about what he mentions.
  • Sam Halicke
    Sam Halicke over 14 years
    +1 for being completely correct.
  • Big McLargeHuge
    Big McLargeHuge about 11 years
    How do you "block direct access to port 443"? And how do you unblock it then if the user configures their browser to use the proxy?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL certificate: EE certificate key too weak
Redirect incoming https to local ip with iptables
How to allow port 8443 in iptables?
Can't enable HTTPS and SSL streams in PHP no matter what
How to accept a ssl certificate in a bash or other script?
Setting up SSL on JBoss 5
iptables to allow only ssh and https
transparent SSL proxy myths and facts
bind apache ssl port with different port with same openssl port 443
Setting up a transparent SSL proxy