HTTPS on Squid http proxy server Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!Squid url rewrites https>>httpProxy Access to my Squid ProxyHow to setup a HTTP/s Proxy behind Squid/Sockd ProxyMacs behind a proxy, using squid for SSL and HTTP trafficSquid Proxy - https working but http sites not workingConfigure Squid as an HTTPS forward proxy?Maximum number of HTTP request in squid proxy serverForward Proxy convert http to httpsIs there any way to cache or forward https requests to an http proxy using Squid?
Problem drawing boxes with arrows in tikZ
Why is "Consequences inflicted." not a sentence?
How can I make names more distinctive without making them longer?
Is the argument below valid?
Storing hydrofluoric acid before the invention of plastics
Models of set theory where not every set can be linearly ordered
Were Kohanim forbidden from serving in King David's army?
iPhone Wallpaper?
Should I call the interviewer directly, if HR aren't responding?
How can players work together to take actions that are otherwise impossible?
Proof involving the spectral radius and the Jordan canonical form
Is there a "higher Segal conjecture"?
Antler Helmet: Can it work?
How do I keep my slimes from escaping their pens?
Does surprise arrest existing movement?
Why does Python start at index -1 when indexing a list from the end?
Gastric acid as a weapon
How can I fade player character when he goes inside or outside of the area?
Is there any avatar supposed to be born between the death of Krishna and the birth of Kalki?
What is the longest distance a 13th-level monk can jump while attacking on the same turn?
What is the musical term for a note that continously plays through a melody?
"Seemed to had" is it correct?
What's the difference between `auto x = vector<int>()` and `vector<int> x`?
List *all* the tuples!
HTTPS on Squid http proxy server
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Squid url rewrites https>>httpProxy Access to my Squid ProxyHow to setup a HTTP/s Proxy behind Squid/Sockd ProxyMacs behind a proxy, using squid for SSL and HTTP trafficSquid Proxy - https working but http sites not workingConfigure Squid as an HTTPS forward proxy?Maximum number of HTTP request in squid proxy serverForward Proxy convert http to httpsIs there any way to cache or forward https requests to an http proxy using Squid?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I've got many servers and I want them to have the same IP when they do requests via the Internet. So I configured a Squid http proxy server that works well for http requests.
The problem is that it do not works for HTTPS requests (the real IP of my server appears...).
Do you have a solution for that ?
debian proxy squid http-proxy
asked Apr 14 '14 at 10:03
maximemaxime
12115
add a comment |
I've got many servers and I want them to have the same IP when they do requests via the Internet. So I configured a Squid http proxy server that works well for http requests.
The problem is that it do not works for HTTPS requests (the real IP of my server appears...).
Do you have a solution for that ?
debian proxy squid http-proxy
asked Apr 14 '14 at 10:03
maximemaxime
12115
What is the base operating system that squid runs on..?? Meanwhile, I'd suggest you install webmin for easier view and configuration or if the purpose it to act as proxy server along with some enhanced features, pfsense will do better. Having said that, I found this by googling which may server you.
– AzkerM
Apr 14 '14 at 12:25
can you show your squid configuration?
– c4f4t0r
Apr 14 '14 at 12:54
My server runs on Debian 7. I'll try webmin ! And thanks for the link !
– maxime
Apr 16 '14 at 13:29
add a comment |
I've got many servers and I want them to have the same IP when they do requests via the Internet. So I configured a Squid http proxy server that works well for http requests.
The problem is that it do not works for HTTPS requests (the real IP of my server appears...).
Do you have a solution for that ?
debian proxy squid http-proxy
asked Apr 14 '14 at 10:03
maximemaxime
12115
I've got many servers and I want them to have the same IP when they do requests via the Internet. So I configured a Squid http proxy server that works well for http requests.
The problem is that it do not works for HTTPS requests (the real IP of my server appears...).
Do you have a solution for that ?
debian proxy squid http-proxy
debian proxy squid http-proxy
asked Apr 14 '14 at 10:03
maximemaxime
12115
asked Apr 14 '14 at 10:03
maximemaxime
12115
asked Apr 14 '14 at 10:03
maximemaxime
12115
asked Apr 14 '14 at 10:03
maximemaxime
12115
asked Apr 14 '14 at 10:03
maximemaxime
12115
12115
What is the base operating system that squid runs on..?? Meanwhile, I'd suggest you install webmin for easier view and configuration or if the purpose it to act as proxy server along with some enhanced features, pfsense will do better. Having said that, I found this by googling which may server you.
– AzkerM
Apr 14 '14 at 12:25
can you show your squid configuration?
– c4f4t0r
Apr 14 '14 at 12:54
My server runs on Debian 7. I'll try webmin ! And thanks for the link !
– maxime
Apr 16 '14 at 13:29
add a comment |
What is the base operating system that squid runs on..?? Meanwhile, I'd suggest you install webmin for easier view and configuration or if the purpose it to act as proxy server along with some enhanced features, pfsense will do better. Having said that, I found this by googling which may server you.
– AzkerM
Apr 14 '14 at 12:25
can you show your squid configuration?
– c4f4t0r
Apr 14 '14 at 12:54
My server runs on Debian 7. I'll try webmin ! And thanks for the link !
– maxime
Apr 16 '14 at 13:29
What is the base operating system that squid runs on..?? Meanwhile, I'd suggest you install webmin for easier view and configuration or if the purpose it to act as proxy server along with some enhanced features, pfsense will do better. Having said that, I found this by googling which may server you.
– AzkerM
Apr 14 '14 at 12:25
What is the base operating system that squid runs on..?? Meanwhile, I'd suggest you install webmin for easier view and configuration or if the purpose it to act as proxy server along with some enhanced features, pfsense will do better. Having said that, I found this by googling which may server you.
– AzkerM
Apr 14 '14 at 12:25
can you show your squid configuration?
– c4f4t0r
Apr 14 '14 at 12:54
can you show your squid configuration?
– c4f4t0r
Apr 14 '14 at 12:54
My server runs on Debian 7. I'll try webmin ! And thanks for the link !
– maxime
Apr 16 '14 at 13:29
My server runs on Debian 7. I'll try webmin ! And thanks for the link !
– maxime
Apr 16 '14 at 13:29
add a comment |
2 Answers
2
active
oldest
votes
You need to use the SSL Bump functionality of Squid in order to be able to filter HTTPS. An easy method to implement this is to use QLProxy as it has the SSL Bump functionality enabled by default.
If you'd like to add it to your existing configuration, you can research it here
SIDE NOTE : SSL was developed, in part, to issue assurances to the connecting party that they are connecting to the service that they are expecting to connect to. Intercepting this transmission, which is what you're trying to accomplish, will break the integrtity of HTTPS and issue certificate warnings to your clients. This can be mitigated by distributing a trusted certificate to all your clients, however there is an ethical issue at play here as you are essentially eavesdropping on traffic that your clients assume is secure.
answered Apr 14 '14 at 16:05
DKNUCKLESDKNUCKLES
3,42333858
He doesn't need a transparent proxy.
– Diego Woitasen
Apr 15 '14 at 17:00
@diegows perhaps you'd care to share what you think he needs then rather than just stating what they "don't" need.
– DKNUCKLES
Apr 16 '14 at 12:47
add a comment |
Here is now my ssl-bump rules are setup and it works without a problem:
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost
Then just set both HTTP and SSL proxy to the server and port 3128.
answered Jun 13 '14 at 21:22
user226231user226231
211
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f588823%2fhttps-on-squid-http-proxy-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You need to use the SSL Bump functionality of Squid in order to be able to filter HTTPS. An easy method to implement this is to use QLProxy as it has the SSL Bump functionality enabled by default.
If you'd like to add it to your existing configuration, you can research it here
SIDE NOTE : SSL was developed, in part, to issue assurances to the connecting party that they are connecting to the service that they are expecting to connect to. Intercepting this transmission, which is what you're trying to accomplish, will break the integrtity of HTTPS and issue certificate warnings to your clients. This can be mitigated by distributing a trusted certificate to all your clients, however there is an ethical issue at play here as you are essentially eavesdropping on traffic that your clients assume is secure.
answered Apr 14 '14 at 16:05
DKNUCKLESDKNUCKLES
3,42333858
He doesn't need a transparent proxy.
– Diego Woitasen
Apr 15 '14 at 17:00
@diegows perhaps you'd care to share what you think he needs then rather than just stating what they "don't" need.
– DKNUCKLES
Apr 16 '14 at 12:47
add a comment |
You need to use the SSL Bump functionality of Squid in order to be able to filter HTTPS. An easy method to implement this is to use QLProxy as it has the SSL Bump functionality enabled by default.
If you'd like to add it to your existing configuration, you can research it here
SIDE NOTE : SSL was developed, in part, to issue assurances to the connecting party that they are connecting to the service that they are expecting to connect to. Intercepting this transmission, which is what you're trying to accomplish, will break the integrtity of HTTPS and issue certificate warnings to your clients. This can be mitigated by distributing a trusted certificate to all your clients, however there is an ethical issue at play here as you are essentially eavesdropping on traffic that your clients assume is secure.
answered Apr 14 '14 at 16:05
DKNUCKLESDKNUCKLES
3,42333858
He doesn't need a transparent proxy.
– Diego Woitasen
Apr 15 '14 at 17:00
@diegows perhaps you'd care to share what you think he needs then rather than just stating what they "don't" need.
– DKNUCKLES
Apr 16 '14 at 12:47
add a comment |
You need to use the SSL Bump functionality of Squid in order to be able to filter HTTPS. An easy method to implement this is to use QLProxy as it has the SSL Bump functionality enabled by default.
If you'd like to add it to your existing configuration, you can research it here
SIDE NOTE : SSL was developed, in part, to issue assurances to the connecting party that they are connecting to the service that they are expecting to connect to. Intercepting this transmission, which is what you're trying to accomplish, will break the integrtity of HTTPS and issue certificate warnings to your clients. This can be mitigated by distributing a trusted certificate to all your clients, however there is an ethical issue at play here as you are essentially eavesdropping on traffic that your clients assume is secure.
answered Apr 14 '14 at 16:05
DKNUCKLESDKNUCKLES
3,42333858
You need to use the SSL Bump functionality of Squid in order to be able to filter HTTPS. An easy method to implement this is to use QLProxy as it has the SSL Bump functionality enabled by default.
If you'd like to add it to your existing configuration, you can research it here
SIDE NOTE : SSL was developed, in part, to issue assurances to the connecting party that they are connecting to the service that they are expecting to connect to. Intercepting this transmission, which is what you're trying to accomplish, will break the integrtity of HTTPS and issue certificate warnings to your clients. This can be mitigated by distributing a trusted certificate to all your clients, however there is an ethical issue at play here as you are essentially eavesdropping on traffic that your clients assume is secure.
answered Apr 14 '14 at 16:05
DKNUCKLESDKNUCKLES
3,42333858
answered Apr 14 '14 at 16:05
DKNUCKLESDKNUCKLES
3,42333858
answered Apr 14 '14 at 16:05
DKNUCKLESDKNUCKLES
3,42333858
answered Apr 14 '14 at 16:05
DKNUCKLESDKNUCKLES
3,42333858
3,42333858
He doesn't need a transparent proxy.
– Diego Woitasen
Apr 15 '14 at 17:00
@diegows perhaps you'd care to share what you think he needs then rather than just stating what they "don't" need.
– DKNUCKLES
Apr 16 '14 at 12:47
add a comment |
He doesn't need a transparent proxy.
– Diego Woitasen
Apr 15 '14 at 17:00
@diegows perhaps you'd care to share what you think he needs then rather than just stating what they "don't" need.
– DKNUCKLES
Apr 16 '14 at 12:47
He doesn't need a transparent proxy.
– Diego Woitasen
Apr 15 '14 at 17:00
He doesn't need a transparent proxy.
– Diego Woitasen
Apr 15 '14 at 17:00
@diegows perhaps you'd care to share what you think he needs then rather than just stating what they "don't" need.
– DKNUCKLES
Apr 16 '14 at 12:47
@diegows perhaps you'd care to share what you think he needs then rather than just stating what they "don't" need.
– DKNUCKLES
Apr 16 '14 at 12:47
add a comment |
Here is now my ssl-bump rules are setup and it works without a problem:
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost
Then just set both HTTP and SSL proxy to the server and port 3128.
answered Jun 13 '14 at 21:22
user226231user226231
211
add a comment |
Here is now my ssl-bump rules are setup and it works without a problem:
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost
Then just set both HTTP and SSL proxy to the server and port 3128.
answered Jun 13 '14 at 21:22
user226231user226231
211
add a comment |
Here is now my ssl-bump rules are setup and it works without a problem:
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost
Then just set both HTTP and SSL proxy to the server and port 3128.
answered Jun 13 '14 at 21:22
user226231user226231
211
Here is now my ssl-bump rules are setup and it works without a problem:
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost
Then just set both HTTP and SSL proxy to the server and port 3128.
answered Jun 13 '14 at 21:22
user226231user226231
211
answered Jun 13 '14 at 21:22
user226231user226231
211
answered Jun 13 '14 at 21:22
user226231user226231
211
answered Jun 13 '14 at 21:22
user226231user226231
211
211
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f588823%2fhttps-on-squid-http-proxy-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What is the base operating system that squid runs on..?? Meanwhile, I'd suggest you install webmin for easier view and configuration or if the purpose it to act as proxy server along with some enhanced features, pfsense will do better. Having said that, I found this by googling which may server you.
– AzkerM
Apr 14 '14 at 12:25
can you show your squid configuration?
– c4f4t0r
Apr 14 '14 at 12:54
My server runs on Debian 7. I'll try webmin ! And thanks for the link !
– maxime
Apr 16 '14 at 13:29