Has anybody thought about using Let's Encrypt with squid in transparent mode to filter/cache HTTPS content without intervening with the users' devices?
I would really like to see somebody doing it or even a video about it on level1techs since I don't have the enough skills to put it together myself.
It would be very useful because it saves bandwidth since almost all sites now use HTTPS.
Uhm - you mean like mitm the connection at the proxy by (ab)using a LE cert?
hmmm sounds like a cool little project. What do you want to achieve with it? Caching https content I assume? I will take a look at it. Never done anything with squid but if you don't try you can't learn.
Uhm - you mean like mitm the connection at the proxy by (ab)using a LE cert?
(ab)using? Why should that be abusing Let's Encrypt? Because it's not a website but a proxy?
How would one get a legit cert for somedomain.com except for owning somedomain.com? - I am asking that is why the (ab) is in brackets
If you have a valid domain it wouldn't be abusing it. You are right if you register a cert without owning that domain name.
My though is, when the proxy delivers content lets say for https://wikipedia.org it is the origin of the connection and thus also the endpoint for the https stream - and for the browser not to complain it must serve a cert for https://wikipedia.org - I think I am right so far...
The proxy is by design a man in the middle - and serving (valid) certs with LE would be abusing it... as far as I understand the whole process so far - in companies a internal root CA is implemented into the workstations so the proxy/firewall/filter can sing every domain they want internally
Why could OP actually not generate his own SSL/TLS cert? Only your computer needs to accept the self made certificate right? So using Let's Encrypt is not necessary.
My thoughts, but
so he wants the MITM proxy without the user "knowing" or modifying the workstations truststore ^^
Forgot about that XD. Maybe you could get a LE cert with a example.com domain? A example.com domain doesn't belong to anybody. It's a reserved domain by IANA. In theory you could get a LE cert without hindering anybody. There is one problem example.com has a TLS certificate with DigiCert as CA. OP could take the risk and just try it.
I think dozens of people (ab)use it to test configurations or for other purposes.
You can't do it with a certificate, you need a CA because each site you go to is going to generate a fake certificate which is signed by the CA being used by squid. So unless you can get a trusted CA the only way to do it is install your CA cert in each of your client machines.
Thanks for confirming my understanding of the matter
You actually want to use a self signed cert for the device doing https inspection a.d install it as a trusted root to the endpoints to do this.
No need to go outside your network for the cert.