How to disable SSL filtering in transparent mode while SSL enable



  • While SSL intercept enable sometimes we want only http to be filter in transparent mode to avoid some certificate warning to some users. To do this just add NAT rule no RDR interface your lan interface, source lan net, destination any port 443. thats it. Hope you find it usefull



  • I don't understand why you would configure "SSL intercept" and don't want to filter HTTPS.
    I standard transparent mode (without SSL-bump) HTTPS is never filtered.

    Thus if you want not to filter HTTPS with proxy in transparent mode, do not configure SSL6Bump, that's it  ;)

    On the other hand, one debate could be to discuss why you would want to deploy transparent proxy which is, IMHO, the main issue.
    Transparent proxy is really not a suitable design  :-\



  • AS i said if user did not install the certificate they would have a certificate warning message. If you don't bump  the server certificate how can you cache the content unless you just want to tunnel https. Man in the middle.



  • Well, frankly speaking, I don't understand your point.
    Perhaps due to my poor English?

    What's your goal?
    To cache but not filter HTTPS content? In order to save bandwidth?



  • yes to save some bandwidth. I cache youtube video and other https cacheble items. SO i need to bump the certificate I dont want to explain to other user how to install those certificate in their browser. to avoid these I just dont make https transparent, If you have a better option caching https without installing the proxy certificate it would be nice so that I can enable transparent mode with SSL without certificate problem.



  • To make it simple: you can't cache HTTPS without SSL-Bump. This is not linked to transparent or explicit proxy design.



  • Exactly thats why I am posting this :). If you have a better solution then post it


Log in to reply