Squid transparent proxy for https / ssl traffic


We use transparent proxy is when we want to avoid getting into client side proxy configuration or force the users traffic through proxy server.

Some of the key reasons/advantage of using a transparent proxy can be following

  • Cashing of the web contents and DNS lookup
  • Access control to internet resources (who can access)
  • Client bandwidth control/ proxy level QOS
  • Assist with content filtering (like SquidGuard)
  • Maintaining client access log for security compliance
  • Protecting client machines from direct exposure to Internet

Setting up a transparent proxy for http(clear web traffic with no encryption)  is a simple job.

On the other hand setting up transparent proxy for https/ssl traffic is a different, this includes of setting up an SSL certificate. However the browser can keep complaining as it detect the transparent proxy for ssl traffic and consider it as a man in the middle. So using transparent proxy for ssl traffic might not be very practical. I would rather go with setting up proxy auto configuration file (PAC) file and deploy it through web proxy auto discovery protocol for my enterprise network

I shall describe how to setup transparent proxy using some simple steps both for ssl/https traffic as well as http traffic in this blog.

Setting up transparent proxy for http traffic using squid 2.6 on a linux box:

Before you start with setting up a transparent proxy,

Make sure your squid is running.

Access list is configured to allow client machines to use this proxy server. The following lines on your squid.conf file can help you setting up the access list where 192.168.0.0/24 is your network address.

acl our_networks src 192.168.0.0/24 127.0.0.1
 http_access allow our_networks

Setting up transparent proxy

Assuming you make your squid proxy server as your network gateway. We also will redirect all http traffic coming to gateway through squid proxy. You can run different gateway and re-route your https traffic through the proxy however, we are not covering that in this blog.

Assuming your gateway/proxy server address is 192.168.0.1 and we are running proxy server on port 80. To make it work you need to add the following line in squid configuration file squid.conf.

For squid = 2.6

 http_port 3128 transparent

For squid < 2.6                                

httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_host virtual
httpd_accel_uses_host_header on

Assuming the linux box is the gateway and ip forwarding is on. If not turn it on

echo 1 > /proc/sys/net/ipv4/ip_forward

Then redirect all http traffic forwarded through the gateway using port 80 redirect them to port 3128.

iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128

Check other firewall entries to make sure traffic is passing through properly.

Check on the client machine, your transparent proxy should be up and running for http traffic.

Setting up transparent proxy for https traffic using squid:

As I mentioned settings up transparent proxy for https traffic requires an additional step of creating a certificate set.

Setting up squid as a transparent proxy forwards all request coming from port 80 to squid server’s port in the earlier example 3128 (default). Port 80 is used for clear text http traffic with no encryption. On the other hand for https/ssl protocol usually port 443 is used. For transparent proxy over https we will forward 443 traffic to a different squid port (in this case port 3130) using iptables, which is ready to handle https transparent proxy.The default port 3128 which can handle clear text http traffic cannot handle https traffic.

Because https connection establishes a secure connection over the network to do that it uses certificate and public key private key pairs. In this case squid shall act as a man in the middle, exchange certificate with the client. After the proxy server is done exchanging certificate with the client it will exchange certificate with the server on behalf of the client. This process will go on for the entire session.  Once the proxy server is done exchanging the certificate with both client and the web server, the traffic shall be passed though from client to server.

To make it work we shall follow three simple steps

Create certificate sets

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 –keyout  proxy.example.com.pem -out proxy.example.com.pem

Enable https proxy in squid on port 3130, by adding the following line to your squid.conf file.

 https_port 192.168.0..250:3130 transparent cert=/path/proxy.example.com.cert key=/path/proxy.example.com.key

You  need to change the “cert=” and the “key=” to point to the correct file set you just created.

reload squid

  • Redirect https traffic to squids https proxy port
iptables -t nat -A PREROUTING -s 192.168.0.0/2 -p tcp --dport 443 -j REDIRECT --to-port 3130

Your transparent proxy on squid for https/ssl is ready to go. However remember every time you open up and https page, the browser will complain about the authenticity of the certificate it received from the proxy server. Even if the certificate is signed, it will not match the web servers dns name. this can be drag all end users.

You may look into an alternative way of enforcing proxy usage all across the network using web proxy auto discovery protocol.

I do technology integration for living. I enjoy traveling and taking photos and listening to music.

Tagged with: , , ,
Posted in Linux, Making things work
8 comments on “Squid transparent proxy for https / ssl traffic
  1. […] Squid transparent proxy for https / ssl traffic « Open Source Open … Comments Off […]

  2. […] With option one (1) transparent proxy works well with http traffic (traffic without any encryption), however setting up transparent proxy can be troublesome. See the example of squid transparent proxy for https/ssl traffic. […]

  3. […] The best you can do is configure an http_port with transparency on the server. You'll need to create your own certificate to encrypt the connection. This will mean that when a user connects to gmail.com they will get YOUR certificate, and their browser will complain. when they go to facebook.com, they will get YOUR certificate and their browser will complain. It's a sucky solution. You shoudl take pride in your work and get the requirements and limitations changed. this is not a good solution. as per this lilnk, you can get it working, but it's crap compared to doing a proper job. http://tektab.com/2012/09/28/squid-t…s-ssl-traffic/ […]

  4. Steve Smith says:

    There is a bug in your code. In the line “openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 –keyout proxy.example.com.pem -out proxy.example.com.pem” you are specifying the same output file for the key and the cert. Also, you’ve used a “–” and not a “-“. Otherwise, very helpful.

  5. princelemen says:

    Is this applicable to squid 3.1?

  6. Squidblacklist.org is the worlds leading publisher of native acl
    blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as
    many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more.

    There is room for better blacklists, we intend to fill that gap.

    It would be our pleasure to serve you.

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Saad's Album
Wake up boathouse

A Fisher man

Time to go home

More Photos
%d bloggers like this: