[squid-users] sslbump working with 3.4.9 but not in intercept mode?
Eliezer Croitoru
eliezer at ngtech.co.il
Mon Nov 10 10:43:21 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Can you send all ssl_bump related settings?
There are some missing parts in the settings.
If there is a bug\error the full details are needed to analyze the
subject.
I need:
- - OS details
- - machine details
- - network topology
- - cache logs
- - access logs
Eliezer
On 11/10/2014 11:17 AM, Jason Haar wrote:
> Hi there, I've googled about for this but I think most of the
> squid intercept stuff refers to 3.2 and I think things have changed
> since then?
>
> I have squid-3.4.9 running with sslbump, and when I configure my
> browser to use it as a proxy, it bumps the certs nicely, signing
> "fake" certs/etc. I then added an iptables run to redirect outbound
> tcp/80 onto port 3129 (see below) and that transparently proxies
> all port 80 - great. I then went through the same exercise with
> sslbump, but when I put in an iptables rule to redirect outbound
> tcp/443 traffic onto 3127, it doesn't bump - it acts like a TCP
> forwarder instead. I get a "CONNECT ip.add.ress:443" log record -
> no sign of the hostname and no bumping
>
> http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert
> capath=/etc/ssl/certs/ generate-host-certificates=on
> dynamic_cert_mem_cache_size=256MB options=ALL http_port 3129
> transparent https_port 3127 transparent ssl-bump
> cert=/etc/squid/squid-CA.cert capath=/etc/ssl/certs/
> generate-host-certificates=on dynamic_cert_mem_cache_size=256MB
> options=ALL
>
> acl SSL_nonHTTPS_sites dstdom_regex
> "/etc/squid/SSL_nonHTTPS_sites.txt" acl SSL_noIntercept_sites
> dstdom_regex "/etc/squid/SSL_noIntercept_sites.txt" ssl_bump none
> SSL_nonHTTPS_sites ssl_bump none SSL_noIntercept_sites ssl_bump
> server-first all
>
> So these older search-engine pages I came across claimed this
> should work with squid, but either I am missing something, or this
> doesn't work in 3.4.9?
>
> Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUYJbJAAoJENxnfXtQ8ZQUcAwH/RFRxy4Rk+TliEEPzcgT+BLu
Yu4n5I1XiOBMIixR+4qckV/f0j0Y51eWSvczs082Ow/vfOMlmImLtdWS8lswpTBX
cRQq3jhV9+MeFVDjDr8/owGXtf9TY5Aj1Jcmxvg+lR9TJvj4IzG5tp6t+SsW1Y0C
ulXdvKBYr+KGILSrUsIKb+Px+pSZHB/yRx1GHClQFVDrkHG1djSTT74SlRnTNREs
1Ewzm6CtNF5lYD5sHpgUAaI3fsDGbAmvebwyk4nzxyDj6o3Ow1tl3/z3gND8Tv++
WMoziJphFPPDAYhCpk5f6fSCPgM1nNaxdIDs0Z+i9wd/Nw2A5TWeW9U+JPAehqU=
=y/Dr
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list