I have a transparent proxy setup in Ubuntu 10.04.4 with firehol and tinyproxy that works fine for http but I can't get it to work for https.
Connecting to tinyproxy directly works fine as the following commands complete ok:
env http_proxy=localhost:8888 curl http://www.google.com
env https_proxy=localhost:8888 curl https://www.google.com
Http transparent proxying also works fine:
curl http://www.google.com
but when accessing google directly using https, the command just hangs:
curl https://www.google.com
Here are the complete config files for firehol and tinyproxy. Note that I have no interest in using firehol for anything but transparent proxying.
firehol.conf:
transparent_proxy "80 443" 8888 proxy
interface any world
client all accept
server all accept
tinyproxy.conf (all defaults except upstream proxy):
User nobody
Group nogroup
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
upstream corporate.fire.wall:8080
As far as I can tell tinyproxy simply does not support incoming HTTPS connections. It will permit you to access HTTPS sites by using the CONNECT method, but for that to be used, the browser/client must know that it is talking to a proxy server, and use the correct connection methods.
The
ConnectPortdirectives simply defines which ports it is permissible to make connections to.The only FOSS product that supports transparently proxying HTTPS connection is Squid, and the support for that is relatively recent. In also introduces some pretty major security concerns since a transparent HTTPS proxy has to perform a man-in-the-middle attack and decrypt the connection so that it knows what to connect to.