+ Post New Thread
Results 1 to 11 of 11
Internet Related/Filtering/Firewall Thread, Transparent Proxy and HTTPS in Technical; Hi all, I've been searching the forums and have seen various threads relating to this topic but have yet to ...
  1. #1

    Join Date
    Apr 2012
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Transparent Proxy and HTTPS

    Hi all,

    I've been searching the forums and have seen various threads relating to this topic but have yet to come across any real solutions.

    We've setup a guest wireless network to allow students to bring in laptops/tablets etc from home and access the Internet. To avoid having to configure any settings on the student devices, we've configured a transparent Squid proxy which passes all HTTP traffic from the guest wireless network through to the school network and out to the Internet. The problems occur when a student tries to access an HTTPS page on the guest wireless network, and they getting a response of unable to establish a secure connection.

    If the proxy details for the Squid server are manually entered, the HTTPS session works and secure connections are allowed, so it's obviously just the transparent aspect that's causing the issue.

    I've read a few articles saying the Squid can be compiled with the --enable-SSL feature to allow transparent HTTPS connections but I'm not really sure what I'm doing regarding this.

    There's also been mention of SmoothWall and Dansguardian, but again, I'm not familar with these and whether they could provide a better solution or not?

    Any help would be greatly appreciated!!

  2. #2
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    56
    Thank Post
    3
    Thanked 11 Times in 10 Posts
    Rep Power
    7
    Quote Originally Posted by Gruff View Post
    Hi all,

    I've been searching the forums and have seen various threads relating to this topic but have yet to come across any real solutions.

    We've setup a guest wireless network to allow students to bring in laptops/tablets etc from home and access the Internet. To avoid having to configure any settings on the student devices, we've configured a transparent Squid proxy which passes all HTTP traffic from the guest wireless network through to the school network and out to the Internet. The problems occur when a student tries to access an HTTPS page on the guest wireless network, and they getting a response of unable to establish a secure connection.

    If the proxy details for the Squid server are manually entered, the HTTPS session works and secure connections are allowed, so it's obviously just the transparent aspect that's causing the issue.

    I've read a few articles saying the Squid can be compiled with the --enable-SSL feature to allow transparent HTTPS connections but I'm not really sure what I'm doing regarding this.

    There's also been mention of SmoothWall and Dansguardian, but again, I'm not familar with these and whether they could provide a better solution or not?

    Any help would be greatly appreciated!!
    Hi Gruff,

    If you want to transparently capture HTTPS traffic you will need to have a HTTPS decryption tool that can perform a "safe man in the middle attack"

    Your connections are currently breaking because the browsers on the wireless network are unaware that a proxy server exists, due to this when your proxy transparently attempts to filter HTTPS traffic your browsers detect that a man in the middle attack is happening and stops the connection (and rightly so!)

    Web filtering vendors out there provide the ability for full HTTPS decryption in transparent mode, I'm not aware of any free options out there. However, in order for HTTPS decryption to work clients need to trust a spoof certificate that is generated by the web filter....this is fine for domain machines, however for BYOD machines this could present an issue. If clients don't install the certificate they will receive errors on their browser when attempting to access HTTPS sites. Clients that trust the spoof will be able to browse as normal....

    Good luck!

  3. Thanks to grant_girdwood from:

    tom_newton (28th August 2012)

  4. #3

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    151
    look at PAC files to auto config the proxy.

    Rob

  5. #4
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    56
    Thank Post
    3
    Thanked 11 Times in 10 Posts
    Rep Power
    7
    Quote Originally Posted by twin--turbo View Post
    look at PAC files to auto config the proxy.

    Rob
    Of course! I forgot about this option, however it wouldn't then be in transparent mode but would provide http/https filtering - for those who don't want to use pac files they would only have HTTP browsing ability.

  6. #5

    Join Date
    Jun 2010
    Location
    England
    Posts
    735
    Thank Post
    89
    Thanked 52 Times in 46 Posts
    Rep Power
    36
    I thought lots of apps on tablets had problems with non transparent proxy's so it was best to use a transparent?
    Or am I making that up.

  7. #6

    Join Date
    Apr 2012
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for the replies.

    I've been using DHCP to distribute wpad settings on the main network for a while now. This works great as we have full control over what OS and browers people are using. As the new WLAN is designed to facilitate BYOD, the aim was to have a system that could support various OS & browers, and have little or no client configuration required.

    What Grant's mentioned regarding HTTPS decryption and a 'safe man-in-the-middle attack' seems to be the only the to achieve this. I've read that the latest build of Squid proxy (3.2.x) now have features capable of doing this, but the configuration and compiling of the software seems a lot more involved than just the normal install/setup (especially nor a *nix novice like myself).

    The self-certified certificate is then the only issue for clients I guess. I'll have to look into the system further and see what I can do. I'll post back here if I get any further.

    Meanwhile, if anyone knows of any better solutions, I'd glad accept advice!

  8. #7
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    859
    Thank Post
    88
    Thanked 154 Times in 124 Posts
    Blog Entries
    8
    Rep Power
    36
    I'm in a similar boat and didn't want to do a MITM style setup. Our guest network needs to be filtered and the content proxy is offsite at our ISD (not managed by us). So I setup a transparent Squid installation with a captive portal splash screen. It forces users to click an acceptance link to terms and conditions, and then forwards them to a page with instructions for adding proxy settings for HTTPS to work. If they don't follow the instructions they can still get out with just HTTP that is sent to the upstream content filter.

  9. #8

    Join Date
    Sep 2012
    Location
    UK
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi guys,

    Just out of interest - did you configure squid to use 1 nic or 2? Ive set it up on a windows pc and it seems to be running fine. Im starting to add users through it to see how the performance goes, but I wasnt sure if its best practice to go with 1 nic for lan traffic and the other for wan or just have 1 doing everything?

    Thanks

  10. #9
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    859
    Thank Post
    88
    Thanked 154 Times in 124 Posts
    Blog Entries
    8
    Rep Power
    36
    Quote Originally Posted by shabbaranks View Post
    Hi guys,

    Just out of interest - did you configure squid to use 1 nic or 2? Ive set it up on a windows pc and it seems to be running fine. Im starting to add users through it to see how the performance goes, but I wasnt sure if its best practice to go with 1 nic for lan traffic and the other for wan or just have 1 doing everything?

    Thanks
    It depends on what you're trying to accomplish. If you want a transparent proxy, then yes, two NICs is a requirement. If you're just setting up a proxy for internal student/staff web traffic that will be pushed out through GPO, then one NIC is all you need. Two NICs are really only needed when you're routing traffic between networks.

  11. #10

    Join Date
    Sep 2012
    Location
    UK
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks,

    Im struggling to find documentation on this. What Im trying to do is create a cache proxy and after this is working possibly start to output reports and graphs based on useage etc. I have installed squid for windows but due to what seems to be a lack of addins\documentation Im starting to think I should have gone down the linux route?

  12. #11
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,540
    Thank Post
    112
    Thanked 89 Times in 75 Posts
    Blog Entries
    47
    Rep Power
    41
    what are the commercial solutions/methods to create a https compliant transparent proxy?



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 22nd February 2012, 09:26 AM
  2. Replies: 1
    Last Post: 12th December 2008, 04:10 PM
  3. E-Portal and https configuration
    By daveyboy in forum MIS Systems
    Replies: 3
    Last Post: 13th September 2006, 02:04 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •