Squid/transparent proxy improperly intercepting SSL?



  • I recently moved from 2.3.2 to the 2.3.3 dev branch and noticed that the giphy integration through the signal messaging app (whispersystems.org) no longer works.  I looked in the squid logs and see that it appears to be attempting to reach the giphy api but fails with:

    STATUS            Address                (Destination remains blank with a -)
    TAG_NONE/409 api.giphy.com:443

    The interesting part is that the port is appended to the api call (:443) which would imply an SSL connection, yet I've not setup squid to intercept/MITM the SSL traffic.  I've tried to whitelist the api.giphy.com domain in the ACL page but that has no effect.  Googling around a bit revealed that error 409 is URI Host Conflict - I looked into 409 (http://www.squid-cache.org/Doc/config/host_verify_strict/) and saw reference to RFC2616 which is referenced in the General tab in the squid setup (Disable VIA Header).  Enabling/disabling does nothing here either.

    To make sure it's squid, I toggle it on/off and the giphy integration works when the proxy is off.  Has anyone else seen this/similar behavior?


  • Banned

    It is intercepting just fine. Recently discussed in the proper forum. If things break, use the manual config, or don't MITM.



  • @doktornotor:

    It is intercepting just fine. Recently discussed in the proper forum. If things break, use the manual config, or don't MITM.

    apologies if I wasn't clear in my post - I am not implementing MITM and have never enabled it.  It would appear that while all other SSL traffic bypasses the proxy just fine (as intended), this one API call with the :443 appended may indeed be SSL but is attempting to go through the proxy.