Squid + HTTPS Question

Peon

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,835
Reaction score
1,123
Location
In my burrow
Evening guys,

Question on the theory of content filtering on HTTPS.

As I understand it, it doesnt work in a transparent configuration. Take your Smoothwalls and IPfire/IPcop for example.

You could enable transparent proxy and DANSguardian etc.etc. But it wont work if a user opens google.co.za and then searches webmail -> Gets a result and clicks on the resulted link.

I understand this because the initial connection to google is encrypted so squid doesnt know what happens next in the connection.

Correct me if im wrong, you could set each clients machine to manually use the proxy server in its proxy settings. That might help but im not convinced.

Peon
 
Peon said:
Evening guys,

Question on the theory of content filtering on HTTPS.

As I understand it, it doesnt work in a transparent configuration. Take your Smoothwalls and IPfire/IPcop for example.

You could enable transparent proxy and DANSguardian etc.etc. But it wont work if a user opens google.co.za and then searches webmail -> Gets a result and clicks on the resulted link.

I understand this because the initial connection to google is encrypted so squid doesnt know what happens next in the connection.

Correct me if im wrong, you could set each clients machine to manually use the proxy server in its proxy settings. That might help but im not convinced.

Peon
Click to expand...

HTTPS can not be easily proxy'ed as the content is encrypted with a private key on the sending server and decrypted on the requesting client with a known public key. Any proxy in the transmission path would be unable to re-encrypted the proxy'ed data to the requesting client in such a way that the client would be able to decrypt it with out errors. Normal transparent network proxies only redirect port 80 (HTTP) and not port 443(HTTPS) traffic into the proxy server.
 
kidcolt said:
HTTPS can not be easily proxy'ed as the content is encrypted with a private key on the sending server and decrypted on the requesting client with a known public key. Any proxy in the transmission path would be unable to re-encrypted the proxy'ed data to the requesting client in such a way that the client would be able to decrypt it with out errors. Normal transparent network proxies only redirect port 80 (HTTP) and not port 443(HTTPS) traffic into the proxy server.
Click to expand...

As I suspected. In otherwords its a fools errand.
 
Last edited:
i have set a non-transparent proxy, using DHCP + wpad settings to auto configure clients to utilize the proxy.

but yes HTTPS is another monster altogether. there is ways around (man in the middle), but not recommended.

however, my pfsense + squidguard (similar to Dansguardian) is working well, and blocking https website (aka youtube) without issues.

only problem is the WPAD does not play nice with Android clients
 
Peon said:
As I suspected. In otherwords its a fools errand.
Click to expand...
It can be done if your proxy re encrypts the traffic and signs with a certificate trusted by the clients.
 
Neo_X said:
... my pfsense + squidguard (similar to Dansguardian) is working well, and blocking https website (aka youtube) without issues ...
Click to expand...
Is it filtering/blocking the content? Or blocking via DNS?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X