Squid transparent proxy for https / ssl traffic
We use transparent proxy is when we want to avoid getting into client side proxy configuration or force the users traffic through proxy server.
Some of the key reasons/advantage of using a transparent proxy can be following
- Cashing of the web contents and DNS lookup
- Access control to internet resources (who can access)
- Client bandwidth control/ proxy level QOS
- Assist with content filtering (like SquidGuard)
- Maintaining client access log for security compliance
- Protecting client machines from direct exposure to Internet
Setting up a transparent proxy for http(clear web traffic with no encryption) is a simple job.
On the other hand setting up transparent proxy for https/ssl traffic is a different, this includes of setting up an SSL certificate. However the browser can keep complaining as it detect the transparent proxy for ssl traffic and consider it as a man in the middle. So using transparent proxy for ssl traffic might not be very practical. I would rather go with setting up proxy auto configuration file (PAC) file and deploy it through web proxy auto discovery protocol for my enterprise network
I shall describe how to setup transparent proxy using some simple steps both for ssl/https traffic as well as http traffic in this blog.
Setting up transparent proxy for http traffic using squid 2.6 on a linux box:
Before you start with setting up a transparent proxy,
- Make sure your squid is running.
- Access list is configured to allow client machines to use this proxy server. The following lines can help you setting up the access list where 192.168.0.0/24 is your network address.
acl our_networks src 192.168.0.0/24 127.0.0.1
http_access allow our_networks
Setting up transparent proxy
Assuming you make your squid proxy server as your network gateway. We also will redirect all http traffic coming to gateway through squid proxy. You can run different gateway and re-route your https traffic through the proxy however, we are not covering that in this blog.
Assuming your gateway/proxy server address is 192.168.0.1 and we are running proxy server on port 80. To make it work you need to add the following line in squid configuration file squid.conf.
For squid = 2.6 http_port 3128 transparent For squid < 2.6 httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_host virtual httpd_accel_uses_host_header on
Assuming the linux box is the gateway and ip forwarding is on. If not turn it on
echo 1 > /proc/sys/net/ipv4/ip_forward
Then redirect all http traffic forwarded through the gateway using port 80 redirect them to port 3128.
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
Check other firewall entries to make sure traffic is passing through properly.
Check on the client machine, your transparent proxy should be up and running for http traffic.
Setting up transparent proxy for https traffic using squid:
As I mentioned settings up transparent proxy for https traffic requires an additional step of creating a certificate set.
Setting up squid as a transparent proxy forwards all request coming from port 80 to squid server’s port in the earlier example 3128 (default). Port 80 is used for clear text http traffic with no encryption. On the other hand for https/ssl protocol usually port 443 is used. For transparent proxy over https we will forward 443 traffic to a different squid port (in this case port 3130) using iptables, which is ready to handle https transparent proxy.The default port 3128 which can handle clear text http traffic cannot handle https traffic.
Because https connection establishes a secure connection over the network to do that it uses certificate and public key private key pairs. In this case squid shall act as a man in the middle, exchange certificate with the client. After the proxy server is done exchanging certificate with the client it will exchange certificate with the server on behalf of the client. This process will go on for the entire session. Once the proxy server is done exchanging the certificate with both client and the web server, the traffic shall be passed though from client to server.
To make it work we shall follow three simple steps
- Create certificate sets
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 –keyout proxy.example.com.pem -out proxy.example.com.pem
- Enable https proxy in squid on port 3130, by adding the following line.
https_port 192.168.0..250:3130 transparent cert=/path/proxy.example.com.cert key=/path/proxy.example.com.key
You need to change the “cert=” and the “key=” to point to the correct file set you just created.
- Redirect https traffic to squids https proxy port
iptables -t nat -A PREROUTING -s 192.168.0.0/2 -p tcp –dport 443 -j REDIRECT –to-port 3130
Your transparent proxy on squid for https/ssl is ready to go. However remember every time you open up and https page, the browser will complain about the authenticity of the certificate it received from the proxy server. Even if the certificate is signed, it will not match the web servers dns name. this can be drag all end users.
You may look into an alternative way of enforcing proxy usage all across the network using web proxy auto discovery protocol.