9

I have a transparent proxy setup in Ubuntu 10.04.4 with firehol and tinyproxy that works fine for http but I can't get it to work for https.

Connecting to tinyproxy directly works fine as the following commands complete ok:

env  http_proxy=localhost:8888 curl  http://www.google.com
env https_proxy=localhost:8888 curl https://www.google.com

Http transparent proxying also works fine:

curl  http://www.google.com

but when accessing google directly using https, the command just hangs:

curl  https://www.google.com

Here are the complete config files for firehol and tinyproxy. Note that I have no interest in using firehol for anything but transparent proxying.

firehol.conf:

transparent_proxy "80 443" 8888 proxy
interface any world
   client all accept
   server all accept

tinyproxy.conf (all defaults except upstream proxy):

User    nobody
Group   nogroup
Port    8888
Timeout 600
DefaultErrorFile  "/usr/share/tinyproxy/default.html"
StatFile          "/usr/share/tinyproxy/stats.html"
Logfile           "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile           "/var/run/tinyproxy/tinyproxy.pid"
MaxClients     100
MinSpareServers  5
MaxSpareServers 20
StartServers    10
MaxRequestsPerChild 0
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
upstream corporate.fire.wall:8080
Stefan Farestam
  • 193
  • 1
  • 1
  • 4

1 Answers1

13

As far as I can tell tinyproxy simply does not support incoming HTTPS connections. It will permit you to access HTTPS sites by using the CONNECT method, but for that to be used, the browser/client must know that it is talking to a proxy server, and use the correct connection methods.

The ConnectPort directives simply defines which ports it is permissible to make connections to.

The only FOSS product that supports transparently proxying HTTPS connection is Squid, and the support for that is relatively recent. In also introduces some pretty major security concerns since a transparent HTTPS proxy has to perform a man-in-the-middle attack and decrypt the connection so that it knows what to connect to.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • That makes sense. After investigating, it appears that you are correct and squid is the way to go. There is no backport of 3.1 with ssl/https support available for Ubuntu 10.04 (lucid) so custom compile is required. I'll try this out. Thanks! – Stefan Farestam Nov 10 '12 at 19:42
  • With Squid version 3.5 it is now possible to use "peek and splice" feature to implement HTTPS proxy without doing man-in-the-middle (http://wiki.squid-cache.org/Features/SslPeekAndSplice). – Rafał Krypa Feb 14 '17 at 09:39
  • Transparent https indeed not supported by Tinyproxy: https://github.com/tinyproxy/tinyproxy/issues/88 – Jean Monet Nov 03 '21 at 22:34