2

I am trying to create a internet distribution software for an ISP (an internet distributor or a school or other such organizations) like the one here

It will have restrictions and policies for users to limit bandwidth/speed/duration etc according to their internet connection package. Also, the administrator should be able to monitor their speed and block/allow users and renew packages.

The architecture is like:

enter image description here

Non https client request work fine. But https request are giving SSL_ERROR as expected.

I read Squid cannot handle https connections in transparent proxy mode, but I do not want users to set proxy in their browser every time.

Is there any other way so that we can count all the traffic, including the encrypted traffic, used by a user and shape the traffic accordingly?

tombull89
  • 2,954
  • 8
  • 42
  • 52
haywire
  • 131

1 Answers1

2

This is not a limitation of Squid, it is a limitation of the HTTPS protocol itself. If you try setting up a transparent HTTPS proxy, you invariably would need to break the encryption channel - otherwise the proxy has no way of knowing which web site to load. So you basically choose between

  1. setting a HTTP proxy in browsers (which might be done through autodiscovery BTW)
  2. breaking HTTPS security by terminating the encryption channel at your Squid proxy - BumpSSLServerFirst has been written with this in mind. For this to work though, your clients would need to trust the Squid's CA to sign any certificate - it would have to be installed as a trusted root CA on every client.

As setting up trusted CA certs on all clients seems more labor-intensive than just setting a HTTPS proxy in the browser settings, it would only make sense if you plan on working with the decrypted data in ACLs or for request/response body checking.

the-wabbit
  • 41,352