[squid-users] SSL bumping without faked server certificates

Stefan Kutzke stefan.kutzke at bettermarks.com
Tue Nov 10 14:05:06 UTC 2015


I needed to setup Squid as a transparent proxy with SSL bumping for only one single https website.
The goal was to bump https connections to this website with its offical signed SSL certificate.

As an illustration:

Website/hostname: https://abc.mydomain.com
DNS: abc.mydomain.com A
Official wildcard certificate: CN = *.mydomain.com (server.crt, server.key)

I used Squid 3.4.10 from CentOS repository and configured iptables DNAT rules for intercepting.

Squid config:
https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key>
acl MYSITE dst
ssl_bump server-first MYSITE
ssl_bump none all

Everything worked perfectly. All traffic to https://abc.mydomain.com was bumped for caching purposes,
all traffic to other https websites was simply tunneled. Squid did not need to generate faked server certificates
and clients were left untouched (no proxy settings, no self-signed CA).

Now some parts of the website are delivered by Amazon CloudFront. CloudFront has the SSL certificate installed
(same official signed certificate as mentiod above).

Additional website/hostname: https://xyz.mydomain.com
DNS: xyz.mydomain.com CNAME <distribution>.cloudfront.net
Official wildcard certificate: CN = *.mydomain.com (server.crt, server.key)

I cannot simply extend my ACL with all destination IPs used by CloudFront, because these are shared IPs and
CloudFront needs to know which domain/hostname is asked to provide the correct certificate. Usually a client
uses the SNI extension of TLS to transmit the required domain/hostname.

I have heard of the new "SSL Peek and Splice" feature in Squid 3.5 but don't get it working (Squid 3.5.9).

My assumption is that I have to use in Squid's config:
https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key>
acl MYSITE ssl:server_name .mydomain.com
ssl_bump bump MYSITE
ssl_bump splice all

This results in tunneling all https traffic, nothing will be bumped and cached. I'm a little bit confused about the

Under the headline "Processing steps":
Step 2:

  1.  Get TLS clientHello info, including SNI where available.

Under the headline "Actions":
peek/stare Receive client SNI (step1), ...

Is it possible to achieve my goal with Squid in transparent mode?
In other words: Is there a way to bump https connections to destinations with shared IPs?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151110/c4ba2ed8/attachment.html>

More information about the squid-users mailing list