Hi, I've been running Squid successfully on CentOS 7 (and before that on 6 and 5), and it's always been running nicely. I've been using it mostly as a transparent proxy filter in school networks. So far, I've only been able to filter HTTP. Do any of you do transparent HTTPS filtering ? Any suggestions, advice, caveats, do's and don'ts ? Cheers from the snowy South of France, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Itamar Reis Peixoto
2018-Feb-28 21:32 UTC
[CentOS] Squid and HTTPS interception on CentOS 7 ?
On 2018-02-28 06:23 PM, Nicolas Kovacs wrote:> Hi, > > I've been running Squid successfully on CentOS 7 (and before that on 6 > and 5), and it's always been running nicely. I've been using it mostly > as a transparent proxy filter in school networks. > > So far, I've only been able to filter HTTP. > > Do any of you do transparent HTTPS filtering ? Any suggestions, advice, > caveats, do's and don'ts ? > > Cheers from the snowy South of France, > > NikiI recommend everyone in France to spend their money on a school with free internet. please tell us the name of your school's. the https exist's because we want freedom and privacy on internet.
Marcelo Ricardo Leitner
2018-Feb-28 21:43 UTC
[CentOS] Squid and HTTPS interception on CentOS 7 ?
On Wed, Feb 28, 2018 at 10:23:31PM +0100, Nicolas Kovacs wrote:> Hi, > > I've been running Squid successfully on CentOS 7 (and before that on 6 > and 5), and it's always been running nicely. I've been using it mostly > as a transparent proxy filter in school networks. > > So far, I've only been able to filter HTTP. > > Do any of you do transparent HTTPS filtering ? Any suggestions, advice, > caveats, do's and don'ts ?I did some experiments ~2 weeks ago. It worked, but I still need to work on the certificates. Squid will re-issue certificates for those connections that it intercepts, and if the browser doesn't recognize the CA, it's going to scream out loud. For the test, I imported my test CA in the browser and then was completely transparent. Not sure if there is a way to avoid this. I hope not, actually. Marcel
Le 28/02/2018 ? 22:32, Itamar Reis Peixoto a ?crit?:> I recommend everyone in France to spend their money on a school with > free internet.I'm not sure I understand. Our students sure don't pay for accessing the Internet.> > please tell us the name of your school's.https://www.scholae.fr/> > the https exist's because we want freedom and privacy on internet.Indeed. Except we have to stick to the law (article 227-24 from the French penal code) and provide filtered internet access so underage kids don't watch porn, build bombs or join the Jihad. Like pretty much every school, public library or administration in Western Europe. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Le 28/02/2018 ? 22:43, Marcelo Ricardo Leitner a ?crit?:> I did some experiments ~2 weeks ago. It worked, but I still need to > work on the certificates. Squid will re-issue certificates for those > connections that it intercepts, and if the browser doesn't recognize > the CA, it's going to scream out loud. For the test, I imported my > test CA in the browser and then was completely transparent. Not sure > if there is a way to avoid this. I hope not, actually.If you have any documentation, I'd be grateful for that. On a more general note, I'm not a lamer for RTFM. It just seems that there's too much information out there on the subject, and everyone seems to be hacking together his own thing. So I'm looking for something that just works, even if it means I have to do some extensive reading. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Marcelo Ricardo Leitner
2018-Mar-01 02:14 UTC
[CentOS] Squid and HTTPS interception on CentOS 7 ?
On Wed, Feb 28, 2018 at 06:43:50PM -0300, Marcelo Ricardo Leitner wrote:> On Wed, Feb 28, 2018 at 10:23:31PM +0100, Nicolas Kovacs wrote: > > Hi, > > > > I've been running Squid successfully on CentOS 7 (and before that on 6 > > and 5), and it's always been running nicely. I've been using it mostly > > as a transparent proxy filter in school networks. > > > > So far, I've only been able to filter HTTP. > > > > Do any of you do transparent HTTPS filtering ? Any suggestions, advice, > > caveats, do's and don'ts ? > > I did some experiments ~2 weeks ago. It worked, but I still need to > work on the certificates. Squid will re-issue certificates for those > connections that it intercepts, and if the browser doesn't recognize > the CA, it's going to scream out loud. For the test, I imported my > test CA in the browser and then was completely transparent. Not sure > if there is a way to avoid this. I hope not, actually.https://smoothnet.org/squid-proxy-with-ssl-bump/ was of good help to me, btw. Marcelo
Le 28/02/2018 ? 22:23, Nicolas Kovacs a ?crit :> So far, I've only been able to filter HTTP. > > Do any of you do transparent HTTPS filtering ? Any suggestions, > advice, caveats, do's and don'ts ?After a week of trial and error, transparent HTTPS filtering works perfectly. I wrote a detailed blog article about it. https://blog.microlinux.fr/squid-https-centos/ Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Nice, thanks for sharing. You could probably just drop your CA cert in the filesystem and run a couple of commands to get it imported, rather than having to import the CA in the browsers individually. You could probably deliver it via yum/rpm or better yet, ansible or even some shell script. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message -----> From: "Nicolas Kovacs" <info at microlinux.fr> > To: "CentOS mailing list" <centos at centos.org> > Sent: Monday, 5 March, 2018 12:04:59 > Subject: Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?> Le 28/02/2018 ? 22:23, Nicolas Kovacs a ?crit : >> So far, I've only been able to filter HTTP. >> >> Do any of you do transparent HTTPS filtering ? Any suggestions, >> advice, caveats, do's and don'ts ? > > After a week of trial and error, transparent HTTPS filtering works > perfectly. I wrote a detailed blog article about it. > > https://blog.microlinux.fr/squid-https-centos/ > > Cheers, > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'?glise - 30730 Montpezat > Site : https://www.microlinux.fr > Blog : https://blog.microlinux.fr > Mail : info at microlinux.fr > T?l. : 04 66 63 10 32 > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs <info at microlinux.fr>:> > Le 28/02/2018 ? 22:23, Nicolas Kovacs a ?crit : >> So far, I've only been able to filter HTTP. >> >> Do any of you do transparent HTTPS filtering ? Any suggestions, >> advice, caveats, do's and don'ts ? > > After a week of trial and error, transparent HTTPS filtering works > perfectly. I wrote a detailed blog article about it. > > https://blog.microlinux.fr/squid-https-centos/I wonder if this works with all https enabled sites? Chrome has capabilities hardcoded to check google certificates. Certificate Transparency, HTTP Public Key Pinning, CAA DNS are also supporting the end node to identify MITM. I hope that such setup will be unpractical in the near future. About your legal requirements; Weighing is what courts daily do. So, such requirements are not asking you to destroy the integrity and confidentiality >95% of users activity. Blocking Routing, DNS, IPs, Ports are the way to go. -- LF
On 2/28/2018 4:23 PM, Nicolas Kovacs wrote:> Hi, > > I've been running Squid successfully on CentOS 7 (and before that on 6 > and 5), and it's always been running nicely. I've been using it mostly > as a transparent proxy filter in school networks. > > So far, I've only been able to filter HTTP. > > Do any of you do transparent HTTPS filtering ? Any suggestions, advice, > caveats, do's and don'ts ? > > Cheers from the snowy South of France, > > Niki >I made a video on doing this yesterday on Debian. If you skip the part about the Debian install and use the CentOS Squid 3.5 packages from the binary package repo provided by Squid, you should be able to follow the same directions. https://www.youtube.com/watch?v=Bogdplu_lsE