We use transparent proxy is when we want to avoid getting into client side proxy configuration or force the users traffic through proxy server.
Some of the key reasons/advantage of using a transparent proxy can be following
- Cashing of the web contents and DNS lookup
- Access control to internet resources (who can access)
- Client bandwidth control/ proxy level QOS
- Assist with content filtering (like SquidGuard)
- Maintaining client access log for security compliance
- Protecting client machines from direct exposure to Internet
Setting up a transparent proxy for http(clear web traffic with no encryption) is a simple job.
On the other hand setting up transparent proxy for https/ssl traffic is a different, this includes of setting up an SSL certificate. However the browser can keep complaining as it detect the transparent proxy for ssl traffic and consider it as a man in the middle. So using transparent proxy for ssl traffic might not be very practical. I would rather go with setting up proxy auto configuration file (PAC) file and deploy it through web proxy auto discovery protocol for my enterprise network
I shall describe how to setup transparent proxy using some simple steps both for ssl/https traffic as well as http traffic in this blog.
Setting up transparent proxy for http traffic using squid 2.6 on a linux box:
Before you start with setting up a transparent proxy,
Make sure your squid is running.
Access list is configured to allow client machines to use this proxy server. The following lines on your squid.conf file can help you setting up the access list where 192.168.0.0/24 is your network address.
acl our_networks src 192.168.0.0/24 127.0.0.1 http_access allow our_networks
Setting up transparent proxy
Assuming you make your squid proxy server as your network gateway. We also will redirect all http traffic coming to gateway through squid proxy. You can run different gateway and re-route your https traffic through the proxy however, we are not covering that in this blog.
Assuming your gateway/proxy server address is 192.168.0.1 and we are running proxy server on port 80. To make it work you need to add the following line in squid configuration file squid.conf.
For squid = 2.6
http_port 3128 transparent
For squid < 2.6
httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_host virtual httpd_accel_uses_host_header on
Assuming the linux box is the gateway and ip forwarding is on. If not turn it on
echo 1 > /proc/sys/net/ipv4/ip_forward
Then redirect all http traffic forwarded through the gateway using port 80 redirect them to port 3128.
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
Check other firewall entries to make sure traffic is passing through properly.
Check on the client machine, your transparent proxy should be up and running for http traffic.
Setting up transparent proxy for https traffic using squid:
As I mentioned settings up transparent proxy for https traffic requires an additional step of creating a certificate set.
Setting up squid as a transparent proxy forwards all request coming from port 80 to squid server’s port in the earlier example 3128 (default). Port 80 is used for clear text http traffic with no encryption. On the other hand for https/ssl protocol usually port 443 is used. For transparent proxy over https we will forward 443 traffic to a different squid port (in this case port 3130) using iptables, which is ready to handle https transparent proxy.The default port 3128 which can handle clear text http traffic cannot handle https traffic.
Because https connection establishes a secure connection over the network to do that it uses certificate and public key private key pairs. In this case squid shall act as a man in the middle, exchange certificate with the client. After the proxy server is done exchanging certificate with the client it will exchange certificate with the server on behalf of the client. This process will go on for the entire session. Once the proxy server is done exchanging the certificate with both client and the web server, the traffic shall be passed though from client to server.
To make it work we shall follow three simple steps
Create certificate sets
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 –keyout proxy.example.com.pem -out proxy.example.com.pem
Enable https proxy in squid on port 3130, by adding the following line to your squid.conf file.
https_port 192.168.0..250:3130 transparent cert=/path/proxy.example.com.cert key=/path/proxy.example.com.key
You need to change the “cert=” and the “key=” to point to the correct file set you just created.
- Redirect https traffic to squids https proxy port
iptables -t nat -A PREROUTING -s 192.168.0.0/2 -p tcp --dport 443 -j REDIRECT --to-port 3130
Your transparent proxy on squid for https/ssl is ready to go. However remember every time you open up and https page, the browser will complain about the authenticity of the certificate it received from the proxy server. Even if the certificate is signed, it will not match the web servers dns name. this can be drag all end users.
You may look into an alternative way of enforcing proxy usage all across the network using web proxy auto discovery protocol.
11 thoughts on “Squid transparent proxy for https / ssl traffic”
There is a bug in your code. In the line “openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 –keyout proxy.example.com.pem -out proxy.example.com.pem” you are specifying the same output file for the key and the cert. Also, you’ve used a “–” and not a “-“. Otherwise, very helpful.
Is this applicable to squid 3.1?
i have not tested
Squidblacklist.org is the worlds leading publisher of native acl
blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as
many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more.
There is room for better blacklists, we intend to fill that gap.
It would be our pleasure to serve you.
Benjamin E. Nichols
Title: Configure Squid as HTTP and HTTPS transparent proxy.
Issue Description: I have install and configured squid3.3.4 in debain machine. To enable squid as HTTPS transparent proxy I have used public signed certificate(from Godaddy) and configured the same in squid.conf file. Once the configuration done I have tried to start the squid but while starting the squid I am getting the following error.
Error: Squid Cache (Version 3.3.4): Terminated abnormally.
CPU Usage: 0.020 seconds = 0.000 user + 0.020 sys
Maximum Resident Size: 22416 KB
Page faults with physical i/o: 3
Note: The public signed certificate (pem and file) has been converted from tomcat java keystore(certificate) file.
Squid version: 3.3.4
Kindly help me to solve this issue.
Here is my squid.conf configuration.
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl ftp proto FTP
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl connect method CONNECT
acl blockfiles urlpath_regex “/etc/squid3/block.files.acl”
http_access deny blockfiles
acl SSL_ports port 443
acl SSL_ports port 22
acl SSL_ports port 21 8443
acl SSL_ports port 8834 8100
acl SSL_ports port 7004
acl SSL_ports port 6667
acl SSL_ports port 1863
acl SSL_ports port 5050
acl SSL_ports port 1863
acl SSL_ports port 8001 8002 23 25 119 5100 80 1935
acl Safe_ports port 80
acl Safe_ports port 81
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 8834
acl Safe_ports port 777
#acl YIM_ports port 5050
#acl YIM_ports port 80
#acl YIM_ports port 23
acl CONNECT method CONNECT
acl HTTPS method CONNECT
follow_x_forwarded_for allow all
#http_access allow manager localhost
#http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow ftp
#http_access allow ldapauth
http_access allow localnet
# Download Limit Size.
# reply_body_max_size 5000 MB all
reply_body_max_size 1024 MB
# Proxy Port Configuration
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/cert/squidtrans.pem key=/etc/squid3/cert/squidtrans.key
ssl_bump server-first all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
hierarchy_stoplist cgi-bin ?
cache_mem 8 MB
maximum_object_size_in_memory 50 KB
# Cache Size Limit.
# cache_dir ufs /var/spool/squid3 1000 16 256
cache_dir ufs /var/spool/squid3 1024 16 256
minimum_object_size 8000 KB
maximum_object_size 500000 KB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
deny_info ERR_BLOCKED_FILES blockfiles
# dns_nameservers 184.108.40.206
http_access deny all
I fail to see how this is transparent https proxy if the proxy decrypts/re-encrypts the communications. Is there no way of making this purely transparent just for logging purposes?
For that you would need LI technology