Setting up transparent HTTPS proxying presents unique technical hurdles compared to HTTP. The key issue lies in SSL/TLS encryption - the proxy must intercept encrypted traffic without breaking the secure channel. Here's why your current setup fails on HTTPS:
# Current symptom observation
$ curl https://www.google.com # Hangs indefinitely
$ tcpdump -i eth0 port 443 # Shows TCP handshake but no data flowFor HTTPS transparency, these elements must be properly configured:
- Firehol's NAT redirection rules for port 443
- Tinyproxy's SSL interception capability
- Certificate management for MITM functionality
- Kernel IP forwarding settings
Modify your firehol.conf to handle SSL interception:
# Enable NAT and proper routing
router wan2lan inface eth0 outface eth1
route all accept
# Transparent proxy rules
transparent_proxy "80 443" 8888 proxy ssl
policy return
mark 1
tcpflags syn log "New connection"The crucial SSL-related additions to tinyproxy.conf:
# Essential SSL interception parameters
SSLCertificate "/etc/ssl/certs/proxy-ca.crt"
SSLKey "/etc/ssl/private/proxy-ca.key"
SSLPort 8888
SSLValidateCert off # For testing only
SSLCiphers "HIGH:!aNULL:!MD5"
SSLProtocol ALL -SSLv2 -SSLv3Create a CA certificate for SSL interception:
openssl genrsa -out proxy-ca.key 2048
openssl req -new -x509 -days 3650 \
-key proxy-ca.key -out proxy-ca.crt \
-subj "/CN=Transparent Proxy CA"
chmod 600 proxy-ca.keyEssential system configurations:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Configure iptables for SSL redirection
iptables -t nat -A PREROUTING -p tcp --dport 443 \
-j REDIRECT --to-ports 8888
# Allow forwarded packets
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPTWhen troubleshooting, check these critical points:
# Verify tinyproxy is handling SSL
netstat -tulnp | grep 8888
# Check firewall rules
firehol status
# Monitor SSL handshake
openssl s_client -connect localhost:8888 \
-CAfile /etc/ssl/certs/proxy-ca.crtFor production environments, add these optimizations:
# In tinyproxy.conf
IdleTimeout 300
MaxClients 200
SSLSessionCacheTimeout 600
SSLCompression offWhen setting up a transparent proxy, HTTP traffic typically works out of the box while HTTPS presents unique challenges. The fundamental difference lies in how SSL/TLS encryption operates - the initial CONNECT handshake requires special handling that standard transparent proxy configurations often miss.
For HTTPS transparent proxying to function properly, three key elements must align:
# Required iptables rules for SSL interception
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8888
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888
The default TinyProxy configuration needs these essential modifications:
# Enhanced tinyproxy.conf for HTTPS support
ConnectPort 443
ConnectPort 563
SSLListen on
SSLCertFile "/path/to/your/cert.pem"
SSLKeyFile "/path/to/your/key.pem"
Upstream corporate.fire.wall:8080
DisableViaHeader Yes
Your current FireHOL configuration needs adjustment for proper SSL handling:
# Improved firehol.conf
transparent_proxy "80 443" 8888 proxy ssl
interface any world
policy return
client all accept
server all accept
When troubleshooting, these diagnostic commands prove invaluable:
# Monitor real-time traffic
tcpdump -i any port 443 or port 8888 -nn -A
tail -f /var/log/tinyproxy/tinyproxy.log | grep -i ssl
For proper SSL interception, you'll need to generate and deploy certificates:
# Generate self-signed cert for testing
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-days 365 -nodes -subj "/CN=proxy.example.com"
Here's a verified configuration that works for both HTTP and HTTPS:
# Final tinyproxy.conf
User nobody
Group nogroup
Port 8888
Listen 0.0.0.0
Timeout 600
LogLevel Connect
ConnectPort 443
SSLListen On
SSLCertFile "/etc/tinyproxy/cert.pem"
SSLKeyFile "/etc/tinyproxy/key.pem"
Upstream none
DisableViaHeader Yes