HTTPS sites not working in Squid transparent mode

Question

I am trying to setup my Raspberry pi as WiFi access point with squid proxy. All the users connected to AP (wlan0) will get internet from eth0

When I configured browser with Proxy 192.168.0.1:3128 all http and https sites are accessible

Now I setup a Squid in transparent mode. At this time only HTTP sits are accessible. HTTPS sites are not opening

Error : SSL connection error

please find the logs and config sample

Iptables

-A PREROUTING -i wlan0 -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 3128
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i wlan0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128

Squid

#Access List
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl home_network src 192.168.0.0/24
acl guest_network src 192.168.1.0/24
acl guest_network src 192.168.169.0/24


#Ports allowed through Squid
acl Safe_ports port 80 #http
acl Safe_ports port 443 #https
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT

#allow/deny
http_access allow localhost
http_access allow home_network
http_access allow guest_network
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

#proxy ports
visible_hostname proxy
#http_port 3128 transparent
http_port 3128 intercept
http_port 8080

#caching directory
cache_dir ufs /cache/squid 2048 16 128
cache_mem 1024 MB

#refresh patterns for caching static files
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern . 0 40% 40320

Squid Log

1438333207.745      1 192.168.0.10 NONE/400 4000 NONE error:invalid-request - NONE/- text/html
1438333207.749      1 192.168.0.10 NONE/400 4000 NONE error:invalid-request - NONE/- text/html
1438333207.753      1 192.168.0.10 NONE/400 4000 NONE error:invalid-request - NONE/- text/html
1438333207.789      1 192.168.0.10 NONE/400 4000 NONE error:invalid-request - NONE/- text/html
1438333207.803      1 192.168.0.10 NONE/400 4000 NONE error:invalid-request - NONE/- text/html
1438333210.190      1 192.168.0.10 NONE/400 4000 NONE error:invalid-request - NONE/- text/html

Answer 1

Has been a while but I just stumbled upon this very problem.

If you keep your setup like that, SSL traffic will be encrypted and cache is not going to happen.

In order to achieve your goal, additionally to what your have done, you need to:

• Create a self-signed certificate
• Download and recompile squid with openssl support
• Configure squid to use the certificate in a way they call SSL Bump or SSL Peek and Splice for more recent versions.

A couple of detailed tutorials were helpful to me in order to achieve it:

• How I Saved Tons of GBs with HTTPs Caching and
• Using Squid to Proxy SSL Sites

Hopefully that will become helpful to others in the future!

Answer 2

You are trying to forward CONNECT/HTTPS request hitting on port 443 to an intercepted http_port. If i'm correct, http_port defined in intercept mode will serve only http traffic, not https

In the squid config, define https_port in intercept/transparent mode and forward your 443 port to that https_port.

This might solve your problem.

You may have to use certificate for https intercept/transparent mode, create a certificate and tell squid to bump a dummy domain.

All other traffic in that https port will be servered as such, without any bumping