Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid/transparent proxy improperly intercepting SSL?

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trouserless
      last edited by

      I recently moved from 2.3.2 to the 2.3.3 dev branch and noticed that the giphy integration through the signal messaging app (whispersystems.org) no longer works.  I looked in the squid logs and see that it appears to be attempting to reach the giphy api but fails with:

      STATUS            Address                (Destination remains blank with a -)
      TAG_NONE/409 api.giphy.com:443

      The interesting part is that the port is appended to the api call (:443) which would imply an SSL connection, yet I've not setup squid to intercept/MITM the SSL traffic.  I've tried to whitelist the api.giphy.com domain in the ACL page but that has no effect.  Googling around a bit revealed that error 409 is URI Host Conflict - I looked into 409 (http://www.squid-cache.org/Doc/config/host_verify_strict/) and saw reference to RFC2616 which is referenced in the General tab in the squid setup (Disable VIA Header).  Enabling/disabling does nothing here either.

      To make sure it's squid, I toggle it on/off and the giphy integration works when the proxy is off.  Has anyone else seen this/similar behavior?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        It is intercepting just fine. Recently discussed in the proper forum. If things break, use the manual config, or don't MITM.

        1 Reply Last reply Reply Quote 0
        • T
          trouserless
          last edited by

          @doktornotor:

          It is intercepting just fine. Recently discussed in the proper forum. If things break, use the manual config, or don't MITM.

          apologies if I wasn't clear in my post - I am not implementing MITM and have never enabled it.  It would appear that while all other SSL traffic bypasses the proxy just fine (as intended), this one API call with the :443 appended may indeed be SSL but is attempting to go through the proxy.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.