Transparent HTTP/HTTPS domain filtering proxy
What you need is possible with squid starting at version 3.5, because you require feature 'peek-and-splice' introduced in that version. Your action called "peek": http://wiki.squid-cache.org/Features/SslPeekAndSplice .
Use something like:
https_port 3130 intercept ssl-bump
ssl_bump peek all
ssl_bump splice all
intercept
makes the proxy transparent.
I am not sure about third requirement (use of DNS names), squid seems to be really transparent in this mode. But it should extract SNI information if it is there.
You could use that information in ACL:
acl aclname ssl::server_name .foo.com ...
Related videos on Youtube
Cybran
Updated on September 18, 2022Comments
-
Cybran over 1 year
I want to set up a transparent HTTP/HTTPS proxy to filter outbound requests based on destination hostname (domain). The proxy itself should be non-intrusive and just forward traffic, not decrypt/modify it. In case of HTTPS it should use the TLS SNI extension to extract the hostname without decryption.
Multiple clients will use the proxy to access multiple hosts, therefore the proxy should look up whether a given destination hostname is allowed for the client that made the request.
Is this possible with squid (preferably version 3.3.8)? If so, could you provide a simple example configuration on how to realize it? If not, can you recommend alternatives which are able to do so?
Additional information:
- server which should run the proxy is an Ubuntu 14.04
- traffic redirection is covered by another router to a fixed port of that server
- proxy should use DNS as usual to resolve the destination hostname when forwarding requests
Many thanks!
-
Raj about 6 yearspeek/splice will not work for this situation because it requires the HTTP CONNECT method on part of the client. This means the proxy is not transparent anymore.
-
Nikita Kipriyanov about 6 yearsYou're simply wrong. See the linked Squid manual page, "Step 1" part "i" has two cases: one for explicit proxy, another for transparent interception proxy. In latter case it internally creates structures in memory like it was explicit "CONNECT", but this doesn't mean the proxy is not transparent. Even you'll see they mention it as "fake CONNECT", what meant that no CONNECT was used by the client. And there are countless references to intercepted connections (for truly transparent proxy).
-
Raj about 6 yearsHi Nikita: Thanks for the comment. Can you point me to an article that shows how to do transparent Squid proxy for HTTPS without MITM? We tried. It didn't work. We had to resort to github.com/ac000/sprotly which breaks often.
-
Nikita Kipriyanov about 6 yearsIf I correctly understood what you want, it's the same article. You only splice or stare, without bumping. See configuration example #1, "splice all". You'll be able to see SNI domain names at best (if SNI is being used by client), and it is impossible to deep inspect traffic.