How to apply https transparent proxy by ip range



  • Is there a way that I can apply the https transparent by ip range?  Like i want the employees to pass that https transparent proxy but not the public user under certain ip range.  but I want them all to be under http transparent proxy.



  • Yes use Nat redirector



  • Can you please tell me how. I dont know how to create the nat redirector.



  • Enable http and https transparent then create a rule for ip range that will not be  transparent. say 192.168.1-128-254 will not be transparent and 192.168.1.1 - 127 will be transparent. create Nat check no redirect proto tcp source network 192.168.1.128 subnet 25 (that will 192.168.1.128-254) . destination any port 443. description no transparent 192.168.1.128.
    Note you can also use alias for source. create list of ranges you want to disable transparent proxy for https. then in the nat rule use single and put the alias name.

    or make a list of ip that will be transparent. in thjis case check the invert box of the source. so all source that is not in the list will not be transparent.



  • I am confused with "create a rule for ip range that will not be  transparent. say 192.168.1-128-254 will not be transparent and 192.168.1.1 - 127".

    I dont understand how do you make a rule for ip range to be transparent and not. Can you kindly make it more easier for me.  Thanks for replying.



  • Transparent proxy will definitely NOT work unless you configure SSL-bump (AKA MITM).
    This is the starting point.
    Then as transparent proxy works redirecting (transparently) flow at default gateway level toward proxy listener interface, goal is to add some rules to not redirect IP range you don't want to be redirected and redirect only what you want.

    Be aware that enabling SSL6Bump is not as transparent as you may think, especially because it breaks the HTTPS tunnel.  :-\



  • OP wants to know how to transparent only selected IPs. ssl bumb is already added in the new squid config. including this one ssl_bump server-first all.

    Yes he can add to donnot proxy source address using alias on the Bypass Proxy for These Source IPs if he does not want to use th NAT. It will be added in the NAT eventualy. But if you want to enable http to all client while only selected client will have https transparent to avoid certificate confussion then use the nat posted above. use destination port 443 to not redirect if not selected client.


Log in to reply