[squid-users] squid module to "simulate" CONNECT setup to facilitate intercepted https

Alex Rousskov rousskov at measurement-factory.com
Mon Nov 9 15:03:15 UTC 2015

On 11/08/2015 11:33 PM, Mark Carey wrote:

> What I am interested in is whether there is or ever was a squid module that;
> 1. is suitable for running in intercept mode
> 2. maintains a list of active https connections
> 3. checks the acls to see if access is permitted, to the extent
> permitted by https, so some checks would need to pass through lack of
> sufficient information
> 4. when a new https connection is intercepted (internally fakes the
> setup of a CONNECT tunnel)
> 5. if permitted and a suitable CONNECT tunnel exists shovels bits back
> and forward like a traditional non intercepted proxy
> 6. if not returns icmp host unreachable
> 7. accounts for traffic in the same way as squid would in a configured
> proxy setup
> Has anyone tried this?  Or is the answer download the source and
> patches welcome?

AFAICT, SslBump with "peek at and then splice everything" rules will
give you most if not all of the above:



More information about the squid-users mailing list