How It Works

There are two possible ways to deploy Squid proxy and Web Safety ICAP server to filter HTTPS traffic and perform SSL Bump. Each way has its advantages and disadvantages.

Way 2: Non-Explicit (Intercept) Proxying

In this case the browser is not aware of proxy existence and does direct communications with remote web servers. Special firewall rules on gateway redirect HTTP and HTTPS traffic flow to the Squid instance running on gateway and allows filtering it.

The following describes advantages and disadvantages of non explicit proxying.

Advantages
  • Browser does not need to be configured to use the proxy.
Disadvantages
  • Browser must trust the root certificate of the proxy that is used to decrypt and re-encrypt HTTPS / SSL traffic (same as in explicit proxy scenario).
  • Filtering exceptions need to be managed on the firewall device using rule manipulation commands. It is hard to keep up with the regular changes of the IP addresses of domain names.
  • Exclusion of applications needs to be done on the firewall level manually.
  • Proxy authentication is not supported.
  • If something goes wrong traffic flow needs to be analyzed on the firewall potentially affecting a lot of applications.
  • It is hard to build gateway redundancy.

Recommendation

Comparing advantages and disadvantages of two styles of deployment we do recommend using the explicit proxy approach.

Our Virtual Appliance contains everything necessary to be used as explicit proxy out of the box. If you decide to use the intercept deployment please take a look at Transparent HTTPS filtering on RedHat / CentOS 7 or Transparent HTTPS Web Filter with Squid, Cisco ASA and ICAP tutorials.