Sunday, May 27, 2012

HTTPS Traffic block in squid 2.6

3 comments

Here are steps to configure Transparent proxy in Squid

Steps for configuring transparent proxy for HTTPS protocol at port 443 in SQUID 2.6
(steps tested on squid 2.6 running on RHEL 5.0)

Configuring transparent proxy on port 80 for use with HTTP protocol is simple but involves some extra configuration to use transparent proxy with HTTPS protocol.





We need to configure this because if we block a website say www.facebook.com it cannot be accessed by users on port 80 via http protocol but if the same user tries to open the site usinghttps://www.facebook.com the website gets opened thus bypassing our security if NATing and IP Forwarding is enabled.

To solve this problem if we add port 443 in iptables the same way we did for port 80 then all traffic for HTTPS is blocked and the browser gives error 

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

Blocking all HTTPS traffic is not possible in office environments and using transparent proxy is our requirement so follow the following steps to configure HTTPS protocol to use transparent proxy.

Create two iptable rules (First rule might already be created then create second rule)

#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130

(Note here that eth0 is my NIC facing local network clients, adjust it according to your topology)

Certificate and public key private key generation steps

Install rpm crypto-utils

#rpm -ivh crypto-utils-2.3
#genkey -days 365 squidserver.hostname.com
(Note here the hostname value, enter your hostname here e.g #genkey -days 365squidserver.corvit.com)
Hit next.
Select number of bits for data encryption. Default is 1024. This command will generate random bits.
Generate the certificate. This may take some time.
Option dispays Generate CSR 
Select No
Give details of your certificate
Hit next
Do nothing and hit next
I will suggest you to never use passphrase for key, because if u assigns passphrase to key then along with public key we need to share passphrase.

The certificate is created and the Certificate and key are stored at /etc/pki/tls/certs/ and /etc/pki/tls/private/

In squid.conf make necessary changes like this

http_port 3128 transparent

https_port 3130 transparent cert=/etc/pki/tls/certs/squidserver.hostname.com.cert key=/etc/pki/tls/private/squidserver.hostname.com.key

Restart squid service and now when the client tries to access a https website they will get message that secure connection failed and at end of message there is a hyperlink "OR YOU CAN ADD AN EXCEPTION" click on it, then click on ADD EXCEPTION, click GET CERTIFICATE and click CONFIRM SECURITY EXCEPTION. your website will be opened if there is no rule stopping it or will get blocked if blocking ACL exists for that site.

You have to add a certificate only one time when the user tries to access https website for the first time, second time the site opens normally without asking for exception.

If you want the users not to get the above error and they donot have to add an excepion manually in the browser each time they visit a new https website for first time then you will have to get your SSL certificate approved by a company like verisign or other CA that the browser trusts. 

3 comments:

Admin said...

Try this acl:

You can block this by making of restrictions.

Ex:
acl localnet src 192.168.0.0/24
acl restrictsites url_regex -i https: gmail
http_access allow localnet !restrictsites
http_access deny all


not allow gmail & https connection for local ip's.

Anonymous said...

try this (the best)
http://www.maravento.com/2012/08/aceptar-o-denegar-https.html

outsourcingall@outlook.com said...

This Blog gives me more information .keep going.I too offers Digital Marketing Institute in Chennai.
digital marketing

Post a Comment