Internet Related/Filtering/Firewall Thread, Transparent Proxy and HTTPS in Technical; Hi all,
I've been searching the forums and have seen various threads relating to this topic but have yet to ...
23rd August 2012, 02:05 PM #1
- Rep Power
Transparent Proxy and HTTPS
I've been searching the forums and have seen various threads relating to this topic but have yet to come across any real solutions.
We've setup a guest wireless network to allow students to bring in laptops/tablets etc from home and access the Internet. To avoid having to configure any settings on the student devices, we've configured a transparent Squid proxy which passes all HTTP traffic from the guest wireless network through to the school network and out to the Internet. The problems occur when a student tries to access an HTTPS page on the guest wireless network, and they getting a response of unable to establish a secure connection.
If the proxy details for the Squid server are manually entered, the HTTPS session works and secure connections are allowed, so it's obviously just the transparent aspect that's causing the issue.
I've read a few articles saying the Squid can be compiled with the --enable-SSL feature to allow transparent HTTPS connections but I'm not really sure what I'm doing regarding this.
There's also been mention of SmoothWall and Dansguardian, but again, I'm not familar with these and whether they could provide a better solution or not?
Any help would be greatly appreciated!!
23rd August 2012, 11:28 PM #2
Originally Posted by Gruff
If you want to transparently capture HTTPS traffic you will need to have a HTTPS decryption tool that can perform a "safe man in the middle attack"
Your connections are currently breaking because the browsers on the wireless network are unaware that a proxy server exists, due to this when your proxy transparently attempts to filter HTTPS traffic your browsers detect that a man in the middle attack is happening and stops the connection (and rightly so!)
Web filtering vendors out there provide the ability for full HTTPS decryption in transparent mode, I'm not aware of any free options out there. However, in order for HTTPS decryption to work clients need to trust a spoof certificate that is generated by the web filter....this is fine for domain machines, however for BYOD machines this could present an issue. If clients don't install the certificate they will receive errors on their browser when attempting to access HTTPS sites. Clients that trust the spoof will be able to browse as normal....
Thanks to grant_girdwood from:
tom_newton (28th August 2012)
24th August 2012, 12:00 AM #3
look at PAC files to auto config the proxy.
24th August 2012, 12:12 AM #4
Of course! I forgot about this option, however it wouldn't then be in transparent mode but would provide http/https filtering - for those who don't want to use pac files they would only have HTTP browsing ability.
Originally Posted by twin--turbo
24th August 2012, 12:23 AM #5
I thought lots of apps on tablets had problems with non transparent proxy's so it was best to use a transparent?
Or am I making that up.
24th August 2012, 09:26 AM #6
- Rep Power
Thanks for the replies.
I've been using DHCP to distribute wpad settings on the main network for a while now. This works great as we have full control over what OS and browers people are using. As the new WLAN is designed to facilitate BYOD, the aim was to have a system that could support various OS & browers, and have little or no client configuration required.
What Grant's mentioned regarding HTTPS decryption and a 'safe man-in-the-middle attack' seems to be the only the to achieve this. I've read that the latest build of Squid proxy (3.2.x) now have features capable of doing this, but the configuration and compiling of the software seems a lot more involved than just the normal install/setup (especially nor a *nix novice like myself).
The self-certified certificate is then the only issue for clients I guess. I'll have to look into the system further and see what I can do. I'll post back here if I get any further.
Meanwhile, if anyone knows of any better solutions, I'd glad accept advice!
28th August 2012, 12:01 AM #7
I'm in a similar boat and didn't want to do a MITM style setup. Our guest network needs to be filtered and the content proxy is offsite at our ISD (not managed by us). So I setup a transparent Squid installation with a captive portal splash screen. It forces users to click an acceptance link to terms and conditions, and then forwards them to a page with instructions for adding proxy settings for HTTPS to work. If they don't follow the instructions they can still get out with just HTTP that is sent to the upstream content filter.
20th September 2012, 10:44 AM #8
- Rep Power
Just out of interest - did you configure squid to use 1 nic or 2? Ive set it up on a windows pc and it seems to be running fine. Im starting to add users through it to see how the performance goes, but I wasnt sure if its best practice to go with 1 nic for lan traffic and the other for wan or just have 1 doing everything?
21st September 2012, 04:19 PM #9
It depends on what you're trying to accomplish. If you want a transparent proxy, then yes, two NICs is a requirement. If you're just setting up a proxy for internal student/staff web traffic that will be pushed out through GPO, then one NIC is all you need. Two NICs are really only needed when you're routing traffic between networks.
Originally Posted by shabbaranks
21st September 2012, 04:25 PM #10
- Rep Power
Im struggling to find documentation on this. What Im trying to do is create a cache proxy and after this is working possibly start to output reports and graphs based on useage etc. I have installed squid for windows but due to what seems to be a lack of addins\documentation Im starting to think I should have gone down the linux route?
21st September 2012, 05:15 PM #11
what are the commercial solutions/methods to create a https compliant transparent proxy?
By localzuk in forum Scripts
Last Post: 22nd February 2012, 09:26 AM
Last Post: 12th December 2008, 04:10 PM
By daveyboy in forum MIS Systems
Last Post: 13th September 2006, 02:04 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)