[squid-users] R: R: R: Problem with Squid 3.4 and transparent SSL proxy

Job Job at colliniconsulting.it
Thu Nov 13 22:16:50 UTC 2014 

Hello Amos, thank you!

I solved with this configuration:

http_port 3128
http_port 192.168.10.254:3129 intercept
https_port 192.168.10.254:3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH options=NO_SSLv2

as you told me to find Peter G.'s thread! Now it works i think good.

Just a question: both transparent and explicited proxy, can cohexist with interception and ssl bump?
Or i have to duplicated configurations of host and ports in squid.conf?

Thank you again,
Francesco


________________________________________
Da: Amos Jeffries [squid3 at treenet.co.nz]
Inviato: giovedì 13 novembre 2014 5.51
A: Job; squid-users at lists.squid-cache.org
Oggetto: Re: R: R: [squid-users] Problem with Squid 3.4 and transparent SSL proxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/2014 9:55 p.m., Job wrote:
> Thank you Amos, for everything.
>
> I route with REDIRECT all outgoing connection to port tcp/443 from
> my LAN:
>
> iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT
> --to-port 3130
>
> in squid, i have these configurations:
>
> http_port 3128 http_port 3129 intercept https_port 3130 intercept
> ssl-bump connection-auth=off generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem
> key=/etc/squid/ssl/squid.key
> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
>
>  Do you think my iptables rule is wrong?

The iptables looks fine.

Peter G, in a recent thread added the IP address Squid was being
contacted on to the port details. Maybe that will work for you too.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUZDjCAAoJELJo5wb/XPRjse0IAIL7VDPvPvConqwAxSBP1O79
D8uBOW8D1WVxLARD4HmW9To6qSSten3QwYfJYcwhk0BRDyzh0h0PCiduhWe50H8b
MdK/TXbBdo79q8AobaHkycBQeKwYWKjnHd5IvEp+fPzNK5izqIoWcvdnfFOnSZVh
ULuus+CmKnkykgcYBClxwRlnDo30SPSVUWUS5dgT2Z6r4xnvAANTlpwCJxodcqz/
9zq6vn8dnYYdtIgvuz7SgI49bSDxNo0aa+tizl2P0sKSIxfw5vnnaaj8VXWdeS+r
cpD4H0Wju7CXIyGXfgkDBl/BP3gVUjGVyWJkXN5XYx3Qyu4kKEg4absRTR5+tYc=
=c8G3
-----END PGP SIGNATURE-----

More information about the squid-users mailing list