Squid + letsencrypt


  • I've compiled latest openwrt snapshot with squid ssl
  • I'm running x86 (64bit)
  • I have a letsencrypt ssl certificate
  • /usr/lib/squid/ssl_crtd doesn't exist

All is working fine as far as I can tell, however I can't setup squid as a transparent https proxy.
I wanna use squid as a https adblocker, therorically since I have a valid certificate that should work right ?

an https adblocker need to be have their own CA, as it's MITM proxy need valid cert for every HTTPS domain it process. for example, if you intercept and remove ad from https://youtube.com - you need valid cert for that domain. but obviously no public CA will give you such cert.

1 Like

A -> B -> C
If B makes a request to C on behalf of A, by asserting itself as a HTTPS DNS resolver it should be able to manipulate these requests accordingly no ? Since B is authorised by a CA.

I mean this is already done by local adblockers like browser extensions no ?
If we know what want and what we don't want be can adjust our request accordingly ...

This is bloody confusing :frowning:

entire purpose of HTTPS is to stop B from eavesdropping or manipulation traffic, so it need to be signed cert that valid for domain C.
local adblocker edit page after browser downloaded the page. network security doesn't apply there.

1 Like

You described one scenario. However, transparent https intercept using squid _is_possible. But this will need install of squids special cert on all clients. Not often possible.
And even this is not 100%, because of HSTS, pinned certs etc.
https intercept is aiming at a moving target.


So there is no way to control ones own traffic.
Now that's one step forward twelve back.
Thank you whoever is resposible for HTTPS and all that jazz.

Can a modertator close this up please, much appreciated. And thank you all for your input.

That's not "your" traffic, it's the traffic between someone's server and someone's server. And thanks to HTTPS, we can do banking online safely.

Traffic that is between my computer and X's computer is mine or atleast I really do hope so, cause otherwise I dunno who's doing what ay ...
Your point is valid but that's just 1 thing, β€œHe who sacrifices freedom for security deserves neither.”

The traffic is goggles. As they pushed a lot for https. To make it much more difficult to get rid of their trackers, ads etc. But still to let "authorized institutions" check the traffic, using root certs. Secure banking transactions could be done using other methods.
So I have strongly to agree to your scepticism.