Squid https filtering with wpad



  • I thought wpad was supposed to allow me to filter https requests. I had originally implemented squid as a transparent proxy and was informed if I wanted to provide content filtering for https I needed to switch to wpad.

    I have since implemented wpad but maybe I am confused about https filtering as I do not see it working. Within squid.inc I have defined a personal acl:

    acl badwords regex -i  "/home/squid/badwords.txt"
    http_access deny badwords
    

    This allows me to filter web searches for any of the specified words I consider inappropriate. This works fine on non "https" search engines like Bing. But when using on Google or Yahoo which use "https" it fails to work.

    Is this something that is not capable of working in the way I want it to?



  • I thought wpad was supposed to allow me to filter https requests.

    WPAD helps your clients discover the web proxy by themselves, nothing more.

    I had originally implemented squid as a transparent proxy and was informed if I wanted to provide content filtering for https I needed to switch to wpad.

    Not quite.  If you want to provide content filtering in HTTPS sessions, you can't run Transparent without installing a cert on every client to prevent MitM attack warnings.  Specifying a proxy removes the requirement for a cert, and WPAD helps with the location of the proxy via auto-discovery.

    Do you know for sure that HTTPS is going through the proxy?  Have you disabled ports 80,443 on LAN to enforce proxy usage?



  • @KOM:

    I thought wpad was supposed to allow me to filter https requests.

    WPAD helps your clients discover the web proxy by themselves, nothing more.

    I had originally implemented squid as a transparent proxy and was informed if I wanted to provide content filtering for https I needed to switch to wpad.

    Not quite.  If you want to provide content filtering in HTTPS sessions, you can't run Transparent without installing a cert on every client to prevent MitM attack warnings.  Specifying a proxy removes the requirement for a cert, and WPAD helps with the location of the proxy via auto-discovery.

    Do you know for sure that HTTPS is going through the proxy?  Have you disabled ports 80,443 on LAN to enforce proxy usage?

    I understand that in order to use transparent proxy for https I would have had to go the MitM way. I am not comfortable with having to install certs on each client.  I have disabled port 80 and 443 on the LAN and have verified traffic is going through the proxy by using one of those proxy detection sites.

    So what do I do from here to use that custom acl with https?



  • I guess what I am looking for isn't possible. With https the payload is encrypted thus making it impossible to filter keywords.



  • have verified traffic is going through the proxy by using one of those proxy detection sites.

    Don't do it that way.  SSH in or connect via console and look at /var/squid/logs/access.log (going from memory here).  Every URL fetched will be written here if squid is working properly.  Verify that it is processing your HTTPS URLs.

    With https the payload is encrypted thus making it impossible to filter keywords.

    I thought it could if SSLBump was enabled during compile.  SSH in again and run squid -v to see what options it was compiled with.  I haven't played with this at all since I only need URL filtering and not keyword filtering.


Log in to reply