[squid-users] Peek and splice without replacing the certificates

Marcus Kool marcus.kool at urlfilterdb.com
Mon Dec 14 16:52:10 UTC 2015

On 12/14/2015 06:43 AM, Парфенович Н.А. wrote:
> Hello! Show you how to use Squid in transparent mode for tracking HTTPS without replacing the certificates?
> My squid.conf: http://pastebin.ru/AWU8LXvK. If such a configuration file
> to use version 3.5.8 squid compiled using Libressl, everything works
> fine. But if you use version 3.5.9 and above, Squid begins to "terminated" in
> the number of clients above 20. Moreover, interrupted for no apparent reason and messages in the logs. Also tested versions> = 4.0, the effect is the same - Squid "terminated". How to overcome the problem? Correct any
> configuration I have? Thank you in advance. PS .: Sorry for my english

Depending on how you define "tracking" ...

Your squid config has:

acl blocked ssl::server_name  "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all

So it seems that you want to peek and block a few sites based on the SNI and splice all other allowed sites.
When you splice, the TLS/SSL connection is untouched so the original certificates of the webservers are used.
I am not 100% sure, but it seems that to configure sslbump, one must define a fake CA certificate to tell Squid to do sslbumping.
But since you never bump (only terminate or splice) the fake CA certificate is never used.

To debug the sslbump feature you need to set
debug_options ALL,1 33,9 83,9
and carefully look at cache.log to see what is going wrong.


More information about the squid-users mailing list