Squid Transparent Proxy Client’s are Unable to Connect HTTPS Sites
When we are using Squid As Transparent Proxy Mode, the most common problem users report that they are unable to connect to https connections such as twitter, gmail etc. These websites by default receiving all connection over https 443 port for security concern.
Let’s Understand How Squid as Transparent Mode Setup Works
In transparent proxy mode we are redirecting entire 80 (http protocol) traffic to 3128 port using iptables rules. But when we open gmail which uses https (443 port), the request will use 443 port. Some of you might be thinking its easy to add an other iptables rule and same way redirect 443 traffic to 3128 port as we did for 80 traffic. NO it won’t work. The reason is https established an encrypted session between browser and remote webserver and for that it uses certificate with public and private key pairs.
Solution For allowing HTTPS Traffic with Squid As Transparent Mode
There are couple of ways to solve this issue.
1- We can create self signed certificate and public/private keys which can be used for internal clients and squid proxy server and then later squid server will route our traffic to internet. But self signed certificate can slow down your connection. To get faster connection it is recommended to sign certificate from CA. Implementation of this method is bit complex and time consuming.
2- Now Let’s come to the second solution which we are going to use in this guide as well. Simply enable ip routing on our Linux box by enabling ipv4 forwarding, which is more faster and easiest way to allow https traffic while we are using squid as transparent mode.
To allow https traffic we need to enable ip forwarding in linux. See below method:
Add following line
net.ipv4.ip_forward = 1
Save & Exit
Apply recent changes
That’s It, Now http/https websites should work smoothly in transparent proxy mode.
If you face any difficulty related to this guide, Tell us in Comments. Thanks
Contact us At firstname.lastname@example.org For Premium Support
I am Hafiz Haider, co-founder of BroExperts.com. A Computer Geek and a certified Linux enthusiast (RHCE, RHCSA), who strongly believes in sharing knowledge.. You can reach me at email@example.com.