Re: [squid-users] how to configure squid3 transparent web proxy ssl/https? how to block sites using ssl

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 01 Sep 2013 16:30:53 +1200

On 31/08/2013 4:15 p.m., junio wrote:
> staff finished compiling the squid version 3.1 on debian Wheezy with ssl
> support (--enable-ssl --enable-ssl-crtd ...), with the main aim of blocking
> sites that use this type of connection, but not I have the slightest idea of
> how to start the configuration, I have several questions the first one and
> if I have to redirect traffic from port 443 to port 3128 with iptables, or
> is not necessary?,

That is the part which is called interception. So yes it is required.
Although you should *not* be using port 3128 - that is a "well-known"
port for forward-proxy traffic.

This configuration
(http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat) and all
the disclaimers, warnings, troubleshooting still applies.
The differences are:
  * port 443 instead of port 80
  * Squid https_port directive instead of http_port

Also, you need the "ssl-bump" option on the https_port line and ssl_bump
directive deterining which traffic can be bumped.
That should be adequately defined in
http://www.squid-cache.org/Doc/config/ssl_bump/.

That should get you intercepting HTTPS traffic on port 443 - but with
popups. I'm not too clear myself on how to configure the dynamic
certificate generator which is neccessary to avoid those.

> the second doubt is, what the syntax of new acls?, eg acl
> ssl_bump and other podecem would greatly appreciate if you guys send me an
> example of the configuration file.

ssl_bump is not an ACL. It is an access control directive ("ACD" if you
want to abbreviate)

The syntax for defining all ACLs and access control directives is
documented in http://www.squid-cache.org/Doc/config/acl/ and
http://wiki.squid-cache.org/SquidFaq/SquidAcl

Amos
Received on Sun Sep 01 2013 - 04:30:58 MDT

This archive was generated by hypermail 2.2.0 : Sun Sep 01 2013 - 12:00:06 MDT