[squid-users] Transparent SSL Interception

From: Neil <nwilson123_at_gmail.com>
Date: Tue, 24 Apr 2012 12:03:42 +0200

Hi guys and girls,

I've been trying to setup a "transparent"(from the users side) SSL
interception proxy, I realise this isn't advised as it's breaks SSL and
voids any user privacy etc, but this is for a school that needs to be able
to monitor and control social networking access for students and we've been
asked to come up with a solution.

The students bring in their own devices IPADS/tablets etc and these get
assigned an IP via DHCP, port 443 and port 80 are then re-directed(using
iptables) to squid.

I'm using squid(3.1.19) with --enable-ssl and --enable-icap-client as well
as all the usual options, my transparent HTTP proxying works perfectly so
it's only the SSL side that doesn't work the way I've envisaged it would.
EG: the proxy intercepts all SSL traffic and acts as the users PC would
normally, and any certificate errors are hidden from the users device,
because certain apps(apple.com) etc don't allow the users to accept
certificate warnings.

These are the relevant options from my squid.conf

http_port 192.168.0.1:8080 intercept ssl-bump
cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.pem
https_port 192.168.0.1:8081 intercept
cert=/etc/squid/ssl_cert/squid.pem key=/etc/squid/ssl_cert/squid.pem

always_direct allow all

acl broken_sites dstdomain .absa.co.za
ssl_bump deny broken_sites
ssl_bump allow all

# ignore errors with certain cites (very dangerous!)
acl TrustedName url_regex ^https://ib.absa.co.za/
sslproxy_cert_error allow TrustedName
sslproxy_cert_error deny all

# ignore certain certificate errors (very dangerous!)
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BadSite
sslproxy_cert_error deny all

The above might have word wrapped a bit.

I've tried varying options like re-directing port 443 to my http_port and
using "transparent" instead of "intercept", using "ssl-bump" on both the
http_port and https_port as well as a whole ton of other options but nothing
seems to make much of a difference. The best I can do is get https facebook
to work transparently, but then I have major problems with most other SSL
sites, the banking sites either complain about "redirecting in a way that
will never finish" or they direct to another page which I'm guessing the
remote webserver picks up some kind of SSL error and doesn't allow you to
get in. As you can see in my config, I've tried to force "absa.co.za" to
work no matter what happens but the ACLs haven't made any difference.

Please could anyone provide me with some guidance, I seem to be going round
in circles here.

Thank you.

Regards.
Neil Wilson.
Received on Tue Apr 24 2012 - 10:03:49 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 24 2012 - 12:00:04 MDT