Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intercepting HTTPS Proxy

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 3 Posters 7.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      polewskm
      last edited by

      Does anyone know how to setup an intercepting proxy for HTTPS connections?

      I would like to proxy all web browsing (both HTTP and HTTPS) through my firewall for content filtering in order to block certain sites. I have already searched these forums and other sites, but they only mention how to setup "transparent proxies" and "reverse proxies" (for servers) but these solutions do not apply. For the intercepting proxy to function correctly (ie view the payload), it must break the chain-of-trust for the SSL connection by modifying the request/response to (1) terminate the initial SSL transaction, (2) forward the payload to any content filters, (3) and then initiate a new SSL transaction for the response. This will obviously present the client with a mismatched certificate warning, but I am willing to accept that.

      I know this is possible with commercial firewall devices that are currently employed by various government and DOD networks. But can this be done using pfSense, Squid, etc?

      Thank you,
      Marcin

      1 Reply Last reply Reply Quote 0
      • P
        polewskm
        last edited by

        I think that I may have found the solution:

        http://wiki.squid-cache.org/Features/SslBump
        http://dvas0004.wordpress.com/2011/03/22/squid-transparent-ssl-interception/

        I will attempt this solution and post my results.

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          I think this is possible if you do NOT use tranparent proxy and hardcode the proxy IP and port into the client's browser.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            There are very hackish ways to hijack ssl but it involves installing a certificate on the client machine, which essentially completely breaks the trust of SSL in such a way to make it useless. (There are also rumors that China/FBI/NSA/CIA/etc have "special" trusted CA certs on sniffer devices that essentially do the same… but I haven't seen any real evidence, though it is a fun theory)

            If you don't control the clients, you can't transparently proxy ssl. If you do control the clients, you're much better off doing as Nachtfalke suggested and hard coding the proxy information on the clients. Then you don't need to hack anything or install any certificates.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.