[squid-dev] Fwd: RFP: ssl-bump support for upstream proxy in transparent mode

Fri Jun 30 17:21:30 UTC 2017

-------- Исходное сообщение --------
Тема: RFP: ssl-bump support for upstream proxy in transparent mode
Дата: 2017-06-25 01:38
От: Alexandr <sss at sss.chaoslab.ru>
Кому: squid-dev at lists.squid-cache.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

good day.
i am interested in ssl-bump, or at list splice in transparent mode for
upstream proxy.
use-case:
1. squid used in transparent mode like this:
iptables:
iptables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j DNAT
- --to-destination 192.168.0.1:3129
iptables -t nat -A PREROUTING -i br0 -p tcp -m tcp --dport 443 -j DNAT
- --to-destination 192.168.0.1:3130
squid.conf:
cache_peer 192.168.0.1 parent 8118 0 no-digest no-query no-netdb-
exchange no-delay name=tor max-conn=8 standby=2 default
cache_peer 192.168.0.1 parent 8128 0 no-digest no-query no-netdb-
exchange no-delay name=i2p max-conn=16 standby=4 default

cache_peer_access i2p allow i2p
cache_peer_access i2p deny all
cache_peer_access tor allow tor
cache_peer_access tor allow blocked_russia
cache_peer_access tor deny all

never_direct allow tor
never_direct allow blocked_russia
never_direct allow i2p

always_direct deny tor
always_direct deny blocked_russia
always_direct deny i2p

http_port 192.168.0.1:3129 intercept
https_port 192.168.0.1:3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
cert=/etc/squid/ssl/example.com.cert
key=/etc/squid/ssl/example.com.private cipher=HIGH:!WEAK:!MEDIUM:!RC4
sslflags=VERIFY_CRL_ALL

//currently configured to splice ssl connections via tor/i2p and
blocked_russia acls

2. ssl-bump/splice is required for all connections
3. most internet is accessible directly, but some parts accessible only
via upstream proxy, in transparent mode ssl/tls connections via
upstream proxy currently does not work.