Score:1

Transparently tunnel HTTPS using squid with SNI filtering

cn flag

My requirements are:

  1. The proxy should be transparent.
  2. I should be able to filter websites by domain name.
  3. I do not want to decrypt traffic. I'm looking for an SNI sniffing based solution -- no installing certificates on clients.

There are plenty of answers floating around but they are either incorrect (claiming you need to decrypt traffic in order to do this) or incomplete.

Score:2
cn flag

The way to do this is to use the ssl peek feature introduced in Squid 3.5. See here for a detailed explanation. Do note you will need to have compiled with either --with-gnutls or --with-openssl (check squid -v). Some distros leave them out.

In short, the relevant squid configuration looks like this.

acl denylist_ssl ssl::server_name google.com # NOT dstdomain
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice !denylist_ssl # allow everything not in the denylist
ssl_bump terminate all # block everything else
https_port 3129 intercept ssl-bump cert=/etc/squid/dummy.pem

(Aside: I am not sure why we need to only peek at step 1 and not step 2 given that step 2 involves only receiving the server certificate. The docs do not make this clear at all. Using ssl_bump peek all as they recommend makes this stop working entirely).

And then do the usual redirect port 443 to 3129 dance using iptables (or have squid listen on 443 directly if you prefer).

-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

You can use any certificate for the dummy, we actually never use it (because we're not decrypting traffic).

Something like this works.

openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout dummy.pem -out dummy.pem

Sources:

[1] https://unix.stackexchange.com/questions/613359/setting-up-squid-transparent-proxy-with-ssl-bumping-on-debian-10

[2] https://web.archive.org/web/20210128152111/https://www.cammckenzie.com/blog/index.php/2018/07/19/squid-https-interception-and-filtering-without-client-certificates/

[3] https://wiki.squid-cache.org/Features/SslPeekAndSplice

Ginnungagap avatar
gu flag
"some distros" is actually closer to "most distros", the Debian-based ones all leave them out and IIRC, RHEL and derivatives do too. That leaves mostly niche distros to provide them, Alpine being maybe the most popular distro to provide it considering its use in containers.
xrisk avatar
cn flag
@Ginnungagap I'm running CentOS 7.9 and my squid does come with openssl.
Ginnungagap avatar
gu flag
Ah, so I didn't recall correctly, thanks for the info :)
Rafael avatar
cn flag
Might be of some help too https://docs.diladele.com/tutorials/transparent_proxy_debian/index.html
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.