Easiest way to allow direct HTTPS connection in Intercept mode?
- by Nick Lin
I know the SSL issue has been beaten to death
I'm using DNS redirect to force my clients to use my intercept proxy.
As we all know, intercepting HTTPS connection is not possible unless I
provide a fake certificate. What I want to achieve here is to allow
all HTTPS requests connect directly to the source server, thus
bypassing Squid:
HTTP connection Proxy by Squid
HTTPS connection Bypass Squid and connect directly
I spent the past few days goolging and trying different methods but
none worked so far. I read about SSL tunneling using the CONNECT
method but couldn't find any more information on it.
I tried a similar method in using RINETD to
forward all traffic going through port 443 of my Squid back to the
original IP of www.pandora.com. Unfortunately, I did not realize all
other HTTPS requests are also forwarded to the IP of www.pandora.com.
For example, https://www.gmail.com also takes me to https://www.pandora.com
Since I'm running the Intercept mode, the forwarding needs to be
dynamic and match each HTTPS domain name with proper original IP. Can
this be done in Squid or iptables?
Lastly, I'm directing traffic to my Squid server using DNS zone redirect. For example, a client requests www.google.com, my DNS server directs that request to my Squid IP, then my transparent Squid will proxy that request. Will this set up affect what I'm trying to achieve? I tried many methods but couldn't get it to work.
Any takes on how to do this?