2

I am trying to create a internet distribution software for an ISP (an internet distributor or a school or other such organizations) like the one here

It will have restrictions and policies for users to limit bandwidth/speed/duration etc according to their internet connection package. Also, the administrator should be able to monitor their speed and block/allow users and renew packages.

The architecture is like:

enter image description here

Non https client request work fine. But https request are giving SSL_ERROR as expected.

I read Squid cannot handle https connections in transparent proxy mode, but I do not want users to set proxy in their browser every time.

Is there any other way so that we can count all the traffic, including the encrypted traffic, used by a user and shape the traffic accordingly?

tombull89
  • 2,958
  • 8
  • 39
  • 52
haywire
  • 131
  • 5
  • 1
    Does it have to be squid? Why not use something designed for the purpose of allocating pools of traffic.. like MikroTik? (I'm not affiliated with them) Squid can only do web traffic! Useless if users start torrenting or skyping etc.. – Grizly Jun 04 '13 at 06:44
  • @Grizly No. All possible alternatives are welcome, the requirement is to count ALL the traffic. – haywire Jun 05 '13 at 04:02

1 Answers1

2

This is not a limitation of Squid, it is a limitation of the HTTPS protocol itself. If you try setting up a transparent HTTPS proxy, you invariably would need to break the encryption channel - otherwise the proxy has no way of knowing which web site to load. So you basically choose between

  1. setting a HTTP proxy in browsers (which might be done through autodiscovery BTW)
  2. breaking HTTPS security by terminating the encryption channel at your Squid proxy - BumpSSLServerFirst has been written with this in mind. For this to work though, your clients would need to trust the Squid's CA to sign any certificate - it would have to be installed as a trusted root CA on every client.

As setting up trusted CA certs on all clients seems more labor-intensive than just setting a HTTPS proxy in the browser settings, it would only make sense if you plan on working with the decrypted data in ACLs or for request/response body checking.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • Thanks for the reply :) I considered first option at first, but I still have 3 doubts: 1. Will it work in case of other protocols, like FTP, SSH also? 2. Is it what most of such softwares do? 3. Is it the only option? I mean, can't I somehow just read the destination IP and size of the traffic in case of encrypted packets without bumping SSL? – haywire Jun 03 '13 at 13:38
  • @haywire 1. no, Squid is an HTTP proxy. 2. I don't know. 3. you obviously could as the necessary data is contained in the IP packet headers, but there would not be any need for Squid in there - again, Squid is "just" an HTTP proxy. – the-wabbit Jun 03 '13 at 13:42
  • Okay. As I want to track everything, so do I have any alternative other than Squid which can monitor all the traffic? – haywire Jun 03 '13 at 13:45
  • 1
    You can use something like OpenWRT on a router, which actually can monitor traffic. You can also use something like `tc` to limit traffic, though that is somewhat a hack. – ithisa Jun 03 '13 at 13:50
  • 1
    @haywire `iptables` and `tc` are your friends for generic IP-level blocking and bandwidth management. The nice part with Squid is that delay pools combined with Squid's ACL concept make for a decent limiting solution - you can limit by users, site groups, keywords, response MIME types and many other factors. Whereas `tc` is rather limited to IP and TCP/UDP headers and even `iptables` with deep packet inspection is pretty clumsy to use. Take a look at [UFWI](http://en.wikipedia.org/wiki/NuFW) or various captive portal implementations for how it might be combined with user auth. – the-wabbit Jun 03 '13 at 18:17