[squid-users] HTTPS Requests in a Transparent Proxy without SSL Bump

[Matus UHLAR - fantomas]

On 20.10.25 10:59, Jonathan Lee wrote:
>There is also a setting called t-proxy I tried it seems to work well when compared to intercept and transparent. I read about it in pfSense you have to adapt the config to make it work.

Tproxy means transparent/intercept (it's the same) 
+ changing outgoing IP address as if the connection went from clients' original IP 
address.

The rest is still the same.

>> On Oct 20, 2025, at 09:41, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>>
>> On 2025-10-20 05:29, Gonzalo Vázquez Enjamio wrote:
>>
>>> My question is if it would be possible to log HTTPS traffic, in a Squid in transparent mode, without intercepting the traffic?
>>> I know it's possible with a proxy in explicit mode, but in transparent mode?
>>
>> Your earlier question had "without using an SSL Bump" condition. I assume your revised question uses that condition as well.
>>
>> I believe I have answered your earlier question, but since you are asking a similar question again, I assume that my earlier response was problematic. I do not know what that problem was, and you have not told me why that earlier answer was not satisfactory, but perhaps there is a conflict in terminology:
>>
>> * How do you define "transparent mode"?
>>
>> * How do you define "intercepting the traffic"?
>>
>> * Do you want to log individual HTTP(S) transaction details (e.g., request URLs) or just TCP-level connection details (e.g., IP addresses and ports)?

I believe that with bit of tweaking, even spliced SSL connection could be logged
as "CONNECT %ssl::>sni"

thus revealing at least requested server name of destination server (if available)


>>> El vie, 17 oct 2025 a las 15:24, Alex Rousskov escribió:
>>>    On 2025-10-17 05:57, Gonzalo Vázquez Enjamio wrote:
>>>     > Is it possible to handle HTTPS requests and log them in a
>>>    transparent
>>>     > proxy with Squid without using an SSL Bump?
>>>    If you are asking about intercepted TLS connections (i.e. https_port),
>>>    then all Squid can do with them (without SslBump) is to log TCP-level
>>>    details of each connection. No individual HTTP requests are visible to
>>>    Squid in this setup.
>>>    If you are asking about plain text HTTP requests for "https://..."
>>>    targets/URLs arriving on an intercepted plain TCP connection (i.e.
>>>    http_port), then Squid should be able to handle (e.g., deny, forward,
>>>    cache, and log) those requests individually.
>>>    If you do not know which case applies to you, it is most likely the
>>>    first case because plain "GET https://..." requests are rare and are
>>>    usually seen in non-intercepting setups.


-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.