Aug 13, 2011
tom

Filter SSL connections with squid proxy

Question

We have a Ubuntu server between our network & the firewall for URL filtering. Of course SSL connections are a problem. I am looking into ways of doing some basic filtering. I have even thought of using sslstrip & squid, but this doesn’t seem like a very good solution. Does anyone have a suggestion of how I might be able to do this. I searched a lot of Google, but didn’t really get any good answers… perhaps that is because there are none?

Thanks!

Answer

At the current time I don’t think you can do this with squid. The potential is there:

We believe it is technically possible to implement dynamic certificate generation for transparent connections. Doing so requires turning Squid transaction handling steps upside down, so that the secure connection with the server is established before the secure connection with the client. The implementation will be difficult, but it will allow Squid to get the server name from the server certificate and use that to generate a fake server certificate to give to the client. Quality patches or sponsorships welcomed.

Source: see limitations section of http://wiki.squid-cache.org/Features/DynamicSslCert

I know of at least one commercial solution that does this. There may be more.

Related posts:

  1. Making squid use a proxy
  2. Squid url rewrites https>>http
  3. Proxy Access to my Squid Proxy
  4. How to setup a HTTP/s Proxy behind Squid/Sockd Proxy
  5. loadbalancing on squid proxy

Leave a comment