transparent web proxy without mitm for https not working

[MrRagga]

Hi,
I just want to get the web proxy running to deny all outgoing traffic except for a few domains.
I enabled SSL inspection and "Log SNI information only", because as far as I understand this is needed to be able to do ACL filtering on DNS names, right?

If I configure the browser on the host (192.168.1.102) to directly use the web proxy  for http/https on port 3128 it does work as expected.

If I try to do it transparent via the Port Forwarding NAT rule, I get a "SSL_ERROR_RX_RECORD_TOO_LONG" which seems like, there is something wrong with the redirect rule:

IF1    TCP    192.168.1.102    *    ! 192.168.1.0/24    443 (HTTPS)    192.168.1.23    3128    redirect traffic to proxy HTTPS

Any help appreciated.

Cheers Jonas

[Amr]

Hello Jonas,
I assume you have the correct firewall rules to allow proxy access, and you didn't change the default proxy ports.
Then you'll need to edit the NAT rule to send HTTPS traffic to port 3129 (Squid HTTPS) instead of 3128 (Squid HTTP).

PS: This might be a bit late, but DNS would have been a better solution if all you wanted was to block access to certain websites without bumping traffic.

[MrRagga]

Hi,
thanks for you answer.
I used the settings in firefox "Also use this proxy for FTP and HTTPS", which points to "192.168.1.23:3128". So no need to point HTTPS to another port? That's why I tried to redirect to 3128 with the transparent settings, too.

It's not too late for a DNS solution. With unbound or dns-crypt?

Cheers Jonas

[MrRagga]

Hi,
DNS blocking does not work. Since I have deny all rules for my host and only allow a few specific ones. But since e.g. Windows Updates uses a lot of possibly changing IP addresses DNS will resolve probably but it will still be blocked on a firewall filtering level.

Cheers Jonas

[Amr]

So no need to point HTTPS to another port? That's why I tried to redirect to 3128 with the transparent settings, too.

No, you still need to redirect HTTPS to 3129 that's probably the issue with your setup (also you'll need to allow port access in the firewall rules), my understanding on why the browser settings would work when you use "Also use this proxy for FTP and HTTPS" is that squid is smart enough to identify the packet type (HTTP/S or FTP) and internally redirects it to the correct port, however, if you override the NAT so that it always redirect HTTPS to squid's HTTP port then even if squid detected the packet type and attempted to redirect it the firewall would override it and redirect it to HTTP and eventually it would be dropped so it doesn't cause a loop.

DNS blocking does not work. Since I have deny all rules for my host and only allow a few specific ones

Yeah if you want to go the "least privilege" way, Then I believe proxy would be better for your case.