[squid-users] HTTPS Requests in a Transparent Proxy without SSL Bump

[Alex Rousskov]

On 2025-10-20 14:44, Matus UHLAR - fantomas wrote:
> On 20.10.25 10:59, Jonathan Lee wrote:
>> There is also a setting called t-proxy I tried it seems to work well 
>> when compared to intercept and transparent. I read about it in pfSense 
>> you have to adapt the config to make it work.
> 
> Tproxy means transparent/intercept (it's the same) + changing outgoing 
> IP address as if the connection went from clients' original IP address.
> 
> The rest is still the same.
> 
>>> On Oct 20, 2025, at 09:41, Alex Rousskov 
>>> <rousskov at measurement-factory.com> wrote:
>>>
>>> On 2025-10-20 05:29, Gonzalo Vázquez Enjamio wrote:
>>>
>>>> My question is if it would be possible to log HTTPS traffic, in a 
>>>> Squid in transparent mode, without intercepting the traffic?
>>>> I know it's possible with a proxy in explicit mode, but in 
>>>> transparent mode?
>>>
>>> Your earlier question had "without using an SSL Bump" condition. I 
>>> assume your revised question uses that condition as well.
>>>
>>> I believe I have answered your earlier question, but since you are 
>>> asking a similar question again, I assume that my earlier response 
>>> was problematic. I do not know what that problem was, and you have 
>>> not told me why that earlier answer was not satisfactory, but perhaps 
>>> there is a conflict in terminology:
>>>
>>> * How do you define "transparent mode"?
>>>
>>> * How do you define "intercepting the traffic"?
>>>
>>> * Do you want to log individual HTTP(S) transaction details (e.g., 
>>> request URLs) or just TCP-level connection details (e.g., IP 
>>> addresses and ports)?
> 
> I believe that with bit of tweaking, even spliced SSL connection could 
> be logged as "CONNECT %ssl::>sni"
> 
> thus revealing at least requested server name of destination server (if 
> available)


Yes, in cases where TLS SNI information is not encrypted _and_ Squid is 
doing SslBump actions to extract that information.

Gonzalo Vázquez Enjamio's original question excluded SslBump, but we 
still do not know exactly what needs to be logged and in what setup. We 
can add "client-origin TLS handshake info" to the list of things that 
can be logged (in some cases, with some SslBump features enabled).

Alex.


>>>> El vie, 17 oct 2025 a las 15:24, Alex Rousskov escribió:
>>>>    On 2025-10-17 05:57, Gonzalo Vázquez Enjamio wrote:
>>>>     > Is it possible to handle HTTPS requests and log them in a
>>>>    transparent
>>>>     > proxy with Squid without using an SSL Bump?
>>>>    If you are asking about intercepted TLS connections (i.e. 
>>>> https_port),
>>>>    then all Squid can do with them (without SslBump) is to log 
>>>> TCP-level
>>>>    details of each connection. No individual HTTP requests are 
>>>> visible to
>>>>    Squid in this setup.
>>>>    If you are asking about plain text HTTP requests for "https://..."
>>>>    targets/URLs arriving on an intercepted plain TCP connection (i.e.
>>>>    http_port), then Squid should be able to handle (e.g., deny, 
>>>> forward,
>>>>    cache, and log) those requests individually.
>>>>    If you do not know which case applies to you, it is most likely the
>>>>    first case because plain "GET https://..." requests are rare and are
>>>>    usually seen in non-intercepting setups.
> 
>