[squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

Wed Jun 24 16:00:42 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tom,

one simple question.

Soon, all or almost all the Internet go into HTTPS. Why do you then need
caching proxy? The tunnel connection and process ACLs?

My second question to Amos. Amos, what the hell do we under these
conditions caching proxy?

WBR, Yuri

24.06.15 21:41, Tom Mowbray пишет:
> Squid 3.5.5
>
> I seem to have some confusion about how acl lists are processed in
> squid.conf regarding the handling of SSL (HTTPS) traffic, attempting
to use
> ssl_bump directives with transparent proxy.
>
> Based on available documentation, I believe my squid.conf is correct,
> however it never seems to actually behave as expected.
>
> I define the SSL port, as usual:
>
> acl SSL_ports port 443
>
> But here's where my confusion lies... Many state to place the following
> line above the ssl_bump configuration lines:
>
> http_access allow SSL_ports
>
> However when I do this, it appears to simply stop processing any other
> rules and allows ALL https traffic through the proxy (which is
actually how
> I'd expect a standard ACL list to operate, but then how do I actually
> filter the traffic though our content-based ACL lists?).  If I put the
> above line below the ssl_bump configuration options in my squid.conf, then
> it appears to BUMP all, even though I've told the config to SPLICE all
> https traffic, which doesn't work for our deployment.
>
> So, does squid actually continue to process the https traffic using the
> ssl_bump rules if the "http_access allow SSL_ports" line is placed
above it
> in the configuration?
>
> I should note that we've been able to get filtering to work correctly when
> using our configuration in NON-transparent mode, however our goal is get
> this functionality working as a transparent proxy.  We're unable to load
> our self-signed cert onto client machines that will be accessing the
proxy,
> so using the "bump" or man-in-the-middle style https filtering isn't a
> viable option for us.
>
> Any help or advice is appreciated!
>
> Thanks,
>
> Tom
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVitQqAAoJENNXIZxhPexGDaQIAKtb0MvhmOlS6OpGHNCjvWqd
dYXvdm+gMGE2NSl1FPAUa1sz6zj2gyI21p0nWZZu+BPWRa3Puo2XJDFlujtLtbgq
Tsqf7WeKD/dxSJzK1ooIK4OsxSpXpHchHcPnUTZ4qMPDBaAy5JKnqHK4IaX6Py5u
8AByGDCWkacHOZsjgvWpjlqoPK3bGwHsoQTTp6bs87J1JkpWdrw2eKjQCK4OfCA3
hra/kp38UFIMm/Jy8TPIv1jzx8CJsC72ImovovBSuPn7Aq2QXNyO3ZVC/TtBVHVi
x63zzJ1B599ZOZ2QqeL2fAyzeYr7ZL6MT+J6l8Vk0YvUCCO63b1rwX1Jp4qMyog=
=kTMC
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150624/c1c97d47/attachment-0001.html>