Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid as transparent HTTP/HTTPS whitelist only proxy

    Cache/Proxy
    2
    6
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cloudfw
      last edited by

      Anyone managed to get Squid working as a whitelist only transparent SSL proxy?

      Goal is to:

      • Whitelist only allowed http/https urls (Remove 'Allow users on interface')
      • Use wildcard domainnames like *.google.com (So no Squidguard)
      • No certificate installation requirements on clients (Splice All)

      Found several links, but no one works as expected. When the 'Allow users on interface' is checked all traffic including HTTPS is working as expected.

      Any help very welcome.

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Did you tried to include just a . on blacklist?

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        C 1 Reply Last reply Reply Quote 0
        • C
          cloudfw @marcelloc
          last edited by cloudfw

          @marcelloc

          This will give the same result as remove 'Allow users on interface' the error returned is:

          'The following error encountered while trying to retrieve the URL: https://168.63.16.185/* Access Denied'

          So it is like the DNS part is working but Squid does not have access it self.

          The realtime logs state this for portal.azure.com (On whitelist):
          12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
          12.07.2018 12:10:59 10.0.1.100 TAG_NONE/403 https://portal.azure.com/ - -
          12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
          12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
          12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443

          It works perfect for HTTP only sites.

          marcellocM 1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc @cloudfw
            last edited by

            @cloudfw said in Squid as transparent HTTP/HTTPS whitelist only proxy:

            This will give the same result as remove 'Allow users on interface' the error returned is:
            'The following error encountered while trying to retrieve the URL: https://168.63.16.185/* Access Denied'
            So it is like the DNS part is working but Squid does not have access it self.

            Squid with splice all transparent proxy mode checks acls based on the remote server certificate but if the clients tries to send a direct https connection to the server, I can't see a way that squid will associate it with the domain you whitelisted.

            Try the openappid feature from snort package(without intercepting traffic with squid) , see if it can identify what site/application is trying this direct connect.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            C 1 Reply Last reply Reply Quote 0
            • C
              cloudfw @marcelloc
              last edited by

              @marcelloc But why is it working with HTTP then? same thing DNS lookup, then direct http to IP traffic. Have you had this HTTPS setup working?

              marcellocM 1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc @cloudfw
                last edited by

                @cloudfw said in Squid as transparent HTTP/HTTPS whitelist only proxy:

                @marcelloc But why is it working with HTTP then? same thing DNS lookup, then direct http to IP traffic. Have you had this HTTPS setup working?

                Because http traffic is not encrypted, squid can see the packet content. With ssl in splice all mode, squid does not intercept the connection, it just tries to check the server certificate. before establishing a tunnel between the client and the server.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.