Squid as transparent HTTP/HTTPS whitelist only proxy



  • Anyone managed to get Squid working as a whitelist only transparent SSL proxy?

    Goal is to:

    • Whitelist only allowed http/https urls (Remove 'Allow users on interface')
    • Use wildcard domainnames like *.google.com (So no Squidguard)
    • No certificate installation requirements on clients (Splice All)

    Found several links, but no one works as expected. When the 'Allow users on interface' is checked all traffic including HTTPS is working as expected.

    Any help very welcome.



  • Did you tried to include just a . on blacklist?



  • @marcelloc

    This will give the same result as remove 'Allow users on interface' the error returned is:

    'The following error encountered while trying to retrieve the URL: https://168.63.16.185/* Access Denied'

    So it is like the DNS part is working but Squid does not have access it self.

    The realtime logs state this for portal.azure.com (On whitelist):
    12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
    12.07.2018 12:10:59 10.0.1.100 TAG_NONE/403 https://portal.azure.com/ - -
    12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
    12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
    12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443

    It works perfect for HTTP only sites.



  • @cloudfw said in Squid as transparent HTTP/HTTPS whitelist only proxy:

    This will give the same result as remove 'Allow users on interface' the error returned is:
    'The following error encountered while trying to retrieve the URL: https://168.63.16.185/* Access Denied'
    So it is like the DNS part is working but Squid does not have access it self.

    Squid with splice all transparent proxy mode checks acls based on the remote server certificate but if the clients tries to send a direct https connection to the server, I can't see a way that squid will associate it with the domain you whitelisted.

    Try the openappid feature from snort package(without intercepting traffic with squid) , see if it can identify what site/application is trying this direct connect.



  • @marcelloc But why is it working with HTTP then? same thing DNS lookup, then direct http to IP traffic. Have you had this HTTPS setup working?



  • @cloudfw said in Squid as transparent HTTP/HTTPS whitelist only proxy:

    @marcelloc But why is it working with HTTP then? same thing DNS lookup, then direct http to IP traffic. Have you had this HTTPS setup working?

    Because http traffic is not encrypted, squid can see the packet content. With ssl in splice all mode, squid does not intercept the connection, it just tries to check the server certificate. before establishing a tunnel between the client and the server.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy