Easiest way to allow direct HTTPS connection in Intercept mode?

Posted by Nick Lin on Server Fault See other posts from Server Fault or by Nick Lin
Published on 2011-06-26T21:44:13Z Indexed on 2011/06/27 0:24 UTC
Read the original article Hit count: 601

I know the SSL issue has been beaten to death

I'm using DNS redirect to force my clients to use my intercept proxy. As we all know, intercepting HTTPS connection is not possible unless I provide a fake certificate. What I want to achieve here is to allow all HTTPS requests connect directly to the source server, thus bypassing Squid:

  • HTTP connection> Proxy by Squid
  • HTTPS connection> Bypass Squid and connect directly

I spent the past few days goolging and trying different methods but none worked so far. I read about SSL tunneling using the CONNECT method but couldn't find any more information on it.

I tried a similar method in using RINETD to forward all traffic going through port 443 of my Squid back to the original IP of www.pandora.com. Unfortunately, I did not realize all other HTTPS requests are also forwarded to the IP of www.pandora.com. For example, https://www.gmail.com also takes me to https://www.pandora.com

Since I'm running the Intercept mode, the forwarding needs to be dynamic and match each HTTPS domain name with proper original IP. Can this be done in Squid or iptables?

Lastly, I'm directing traffic to my Squid server using DNS zone redirect. For example, a client requests www.google.com, my DNS server directs that request to my Squid IP, then my transparent Squid will proxy that request. Will this set up affect what I'm trying to achieve? I tried many methods but couldn't get it to work.

Any takes on how to do this?

© Server Fault or respective owner

Related posts about iptables

Related posts about squid