Transparent Squid proxy for https without SSL Interception
-
I heard from someone that it would be a good idea to use a transparent proxy to filter HTTP and a explicit proxy to filter https urls. but, since there are a lot of computers on my working enviroment, then I want to avoid going one by one doing the configurations, then I though that usin WPAD for HTTPS will be nice but, now than I think about it… maybe its weird to configure WPAD for https, but not using it for http...
anyway, thanks a lot :DIf you are using WPAD, I don't really understand why you would want to still use transparent proxy but…. you can still do it 8)
if, in proxy.pac, you redirect HTTPS flow to your proxy (explicit mode) and HTTP flow to "DIRECT", then it will be intercepted at gateway level and (transparently) redirected ti you proxy.Cool isn't it? ;D ;D
Still I don't understand what the purpose is (or would be)
-
Explicit proxy (therefore not transparent ;D) can not filter HTTPS content neither (for the same reasons) but can apply rules bases on the left part of URL (domain) because HTTP CONNECT sends it out of SSL tunnel (meaning clear text).
Hello! Please, tell me, how can i make rules based on the left part of url?
-
Still I don't understand what the purpose is (or would be)
When using a wpad or explicit mode some programs do not have proxy setting and want to use port 80. If you have port 80 blocked to stop users from bypassing the proxy then that program will have connection issues, you then need to find that address and allow a pass rule.
Now if you could have both then you will be able to filter https content without mitm and redirect traffic getting block from port 80 to the proxy port. Going to research this a bit more.
Update
Works fine thanks chris4916 for the tip of running both. -
Explicit proxy (therefore not transparent ;D) can not filter HTTPS content neither (for the same reasons) but can apply rules bases on the left part of URL (domain) because HTTP CONNECT sends it out of SSL tunnel (meaning clear text).
Hello! Please, tell me, how can i make rules based on the left part of url?
This is as simple as applying rules for "domain". Domain filtering looks only at the left side of URLs that is used during CONNECT.
This allows to write ACL but you can also, e.g., use Squidguard -
Update
Works fine thanks chris4916 for the tip of running both.You're welcome ;D
Sure it works (I try not to write too stupid stuff :-[) but, at least to me, added value is only for the very few devices that would not support WPAD because once you have WPAD configured, almost all devices will go through explicit proxy smoothly.
With transparent proxy, there is also no capability to prompt for authentication then apply any kind of profiling neither efficient log :( -
Just feel i want to add to this topic for future reference. After playing around with mutiple options, and having issues wiht wPAD on lots of android devices (did i say i HATE touch screens :/), my network is now stable on the following setup:
squid configured to be explicit (not transparent)
Normal users gets IP from DHCP which contains WPAD details (this is for desktop computers and laptops) connected via LANWIFI, i configured 3 different SSID's.
Normal users SSID on vlan 0 (which will thus receive the same DHCP and WPAD settings - This is for Laptops that connect via WIFI
Phone users SSID on VLAN 3 (which have a separate DHCP server / subnet but no WPAD and all ports open) -> this is not passed through a proxy, but just rate limited via captive portal. (MAC address is captured on first connection and remembered)
Guest users SSID on VLAN4. Also a separate DHCP, and access is controllled via Captive portal and tickets that expireThe phone SSID password i keep classified, thus control who connects to iet, and i can monitor the guest SSID for abuse (each VLAN interface is seperate on pFsense, thus activity can be monitored.
Squidguard is active and working, and i am looking at activating PFBLOCKER with DNSBL as well. Network is quite secure i think for our purposes (yes i know some advanced users will download and torrent via their phones, but for now it seems like they are happy).
Squidguard is configured to open all blocked sites(social sites/ youtube etc) during lunch hours and outside working hours.Hope this helps someone for future designs
-
erwintwr,
Ok so I have squid in place and am using the HTTPS man in the middle filtering and it works fine for PC's on the LAN.
My problem however is that i have a WIFI router hooked up to the network, and any WIFI connections to that router are also filtered but I cant get certificates of phones and it blocks all HTTPS traffic.
How do I get mobile devices to be able to BYPASS all Squid filtering whether it be HTTP or HTTPS?????
I have added the mobile device IPs to the TRANSPARENT proxy setting *(HTTP) to "BYPASS PROXY FOR THESE SOURCE IP's" but I can't do that for the HTTPS man-in the-middle filtering!
Any ideas how to bypass the BOTH of these for mobile devices like iphones?
I don't think an Iphone is going to take a .CRT file (not that I can tell) for a certificate based pass-through.
Can I somehow setup my WIFI router (and it connected devices) to automatically pass all HTTP OR HTTPS through Squid maybe?
Any ideas?
Thanks,
MP
-
Hi,
Ok, I did get them working by passing them "THROUGH" the proxy by manual changing the WIFI Proxy settings on the Iphones.
However, it would still be nice to know how to BYPASS HTTPS traffic (Man in the middle) for these mobile devices. Is it possible in the Squid interface?
Thanks,
MP
-
You say that ssl filtering works normally, but I have problems with sites like google, which although they are not blocked continue without access because of the hsts protocol that google, facebook and other sites use. I have tried to install the certificate generated by pfsense on the machines stations, without success, How did you solve this problem?
-
hsts does not hinder you bumping tls traffic, it just forces the client to use tls instead of plain text. you have to have your ca in place on your client devices. I would recommend
1. setting up a ca in pfsense (you don't necessarily have to have the private key on the pfsense box and I recommend againt it, it is you last resort if you private keys of you sub cas are leaked at some point)
2. setting up a sub ca for ssl bumping
3. exporting the ca certificate of the top ca (just the cert)
4. selecting the right ca in the squid config
5. configure bumping as i describe over here https://forum.pfsense.org/index.php?topic=135178.0
6. put on the whitelist what you desire
7. install ca on the client. that should generally be done by your endpoint management solution (active directory gpo, kaspersky endpoint security, you name it). if you want to manually install the ca make sure you put it into the /SYSTEM'S/ Trusted Root Certifaction Authorities else it won't work.
8. here you go (push f12 in your browser to verify your certs are being generated by your bumping ca.