+ Post New Thread
Results 1 to 12 of 12
Internet Related/Filtering/Firewall Thread, Transparent Proxy in Technical; Hello all, Has anyone successfully setup a transparent proxy that will allow http, https and ftp with no configuration required ...
  1. #1

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341

    Question Transparent Proxy

    Hello all,

    Has anyone successfully setup a transparent proxy that will allow http, https and ftp with no configuration required on the client - including that of installing certificates or other?

    If yes, what did you use - Centos, Ubuntu etc... and did you use Squid or TinyProxy for example?

    And more crucially, can you provide instructions? I'm going round in circles and most of the online Wiki's are poorly written, don't work, are out of date or simply don't make any sense! Many thanks!

  2. #2
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,484
    Thank Post
    10
    Thanked 502 Times in 442 Posts
    Rep Power
    114
    I doubt it, you can't transparent proxy SSL, the best you can do is allow/deny the connection based on certificate domain info.

  3. Thanks to DMcCoy from:

    Michael (22nd July 2014)

  4. #3

    Join Date
    Apr 2012
    Location
    Leeds
    Posts
    312
    Thank Post
    0
    Thanked 68 Times in 54 Posts
    Rep Power
    37
    Quote Originally Posted by DMcCoy View Post
    I doubt it, you can't transparent proxy SSL, the best you can do is allow/deny the connection based on certificate domain info.

    Correct otherwise its not transparent

    You can do man in the middle attacks if you install a certificate on each client though.

    We use Lightspeed in transparent mode on our infrastructure and it works a treat.

    Dave

  5. Thanks to SchoolsBroadband from:

    Michael (22nd July 2014)

  6. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,484
    Thank Post
    10
    Thanked 502 Times in 442 Posts
    Rep Power
    114
    Quote Originally Posted by SchoolsBroadband View Post
    Correct otherwise its not transparent

    You can do man in the middle attacks if you install a certificate on each client though.

    We use Lightspeed in transparent mode on our infrastructure and it works a treat.

    Dave
    You can do MITM but I always felt it was a bit on the iffy side, even when I could have done it I didn't. It always seemed one step too far for me. Perhaps for a primary, and only for students is the time I might consider it.

    Although no good in this instance, no client config

  7. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    Thanks for confirming my suspicions - Wouldn't the alternative be to configure a firewall rule so 443 traffic bypasses the proxy altogether and goes straight to its destination? This would remove the need for both MITM and deploying a cert to all clients. The logic being the traffic is encrypted, so cannot be read anyway.

  8. #6

    Join Date
    Nov 2009
    Posts
    19
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Can only speak for our setup - but it depends on what you are trying to filter and why.
    With Bluecoat Proxy SG in transparent mode, the proxy is unable to see the header or URL request as the traffic is encrypted however it can see the IP of the destination. With most common sites (e.g. Facebook) this works OK as Bluecoat has a known IP list of face books servers and blocks without any need for SSL MITM. This works for most porn sites as well. The problem I have written about before is google. With the move of Google to nearly SSL for everything and with multiple services being served from the same IP addresses it is impossible to classify Google traffic as Search or Youtube or GAFE as it is all coming from the same IP range (at least that is how Bluecoat sees it). As such the only way we can get Bluecoat to do this is do a MITM for Google domains only and we can then filter traffic based on the URL and also inject the safe search URL appendage. Yes this does cause SSL errors and we have to push out the Bluecoat SSL cert using GPO as well as get the kids to manually install on their iPads. Painful - but until google gives us the option to bypass SSL for all google sites based on our school public IP - then I don't see an alternative.
    Wally

  9. #7

    Join Date
    Apr 2012
    Location
    Leeds
    Posts
    312
    Thank Post
    0
    Thanked 68 Times in 54 Posts
    Rep Power
    37
    @craigw you are right google has thrown up problems now they are all SSL.

    This can still be sorted though. Get your DNS servers to force google to use the nossl option and then hey presto if your filtering product can support it you can enforce google safe search and do all the other lovely filtering you need. We do this by default on our infrastructure and it works very well indeed.

    See https://support.google.com/websearch...r/186669?hl=en

    You then need to start thinking about blocking DNS access to other services such as opendns to ensure your clever pupils don't get round it that way

    Feel free to contact me folks if you have any specific questions as we've a lot of experience with this.

    Thanks

    Dave

  10. Thanks to SchoolsBroadband from:

    Duke5A (5th August 2014)

  11. #8
    exa_markd's Avatar
    Join Date
    May 2014
    Location
    UK
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yep Exa also support the nosslsearch DNS fix as we have a custom DNS service for SurfProtected customers..

    Cheers

    Mark

  12. #9


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    This is perfectly possible - you can easily transparently proxy HTTPS, and unless you want MITM, you won't need certs - but all you will get is domain names for blocking. I suspect Squid will do this out of the box - but you would need to be using version3, and I am not sure how common that is yet as standard on most distros.

    It's even possible to use google's NOSSLsearch selectively without resorting to DNS...

  13. #10

    Join Date
    Nov 2009
    Posts
    19
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    David- the problem is two fold for us. Firstly this only addresses search - as according to google
    "Utilizing the NoSSLSearch VIP will not affect other Google services outside of Search. Logging into Google Apps and authenticating to different services will continue to work (and will occur over SSL)."

    So therefore we cannot filter SSL youtube traffic unless we do MITM.

    Secondly as Bluecoat uses ISP DNS we are unable at present to add CNAME into the DNS records and confirmed with Bluecoat that they have nothing equivalent to a hosts file on the box that we could use instead.
    Has anyone done this on their internal Windows 2008R2 AD integrated DNS? See this thread...I am not sure how you can get this to work

    http://social.technet.microsoft.com/...um=winserverDS


    If someone has this running live I would be keen to see the config for the zone that you are using..
    Cheers
    Wally

  14. #11
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,062
    Thank Post
    45
    Thanked 86 Times in 81 Posts
    Rep Power
    23
    Can your mitm cert be a paid cert so it is already trusted?

  15. #12

    Join Date
    Nov 2009
    Posts
    19
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    The issue with MITM is not that it is a paid cert or not (I think) rather than that as a MITM process your browser says "hang on - this cert is saying it is from Google.com and it is NOT from google.com". Paid or not - your browser will still object until you install the cert effectively saying - hey no problems I still want to proceed and ignore the anomaly.
    Wally

SHARE:
+ Post New Thread

Similar Threads

  1. Transparent proxy vulnerability in Smooth Guard???
    By cjohnsonuk in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 9th April 2009, 01:32 PM
  2. Squid transparent proxying
    By MK-2 in forum *nix
    Replies: 46
    Last Post: 4th June 2008, 11:26 AM
  3. ISA server as a transparent proxy
    By FN-GM in forum Wireless Networks
    Replies: 30
    Last Post: 25th February 2008, 04:33 PM
  4. VPN with Transparent Proxy
    By Jackd in forum Wireless Networks
    Replies: 6
    Last Post: 14th February 2008, 04:18 PM
  5. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 06:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •