[squid-users] sslBump somehow interferes with authentication

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 11 18:44:58 UTC 2015

On 12/11/2015 7:12 a.m., Eugene M. Zheganin wrote:
> As soon as I add sslBump, everything that is bumped, starts to be
> blocking by 'http_access deny unauthorized' (everything that's spliced
> works as intended). And I completely cannot understand why. Yes, I can
> remove this line, but this way I'm loosing deny_info for specific cases
> when someone fails to authorize, and plus - without sslBump it was
> working, right ? Please help me understand this and solve the issue.

Proxy-authentication cannot be performed on MITM'd traffic. That
includes SSL-bump decrypted messages.

However, unlike the other methods SSL-bump CONNECT wrapper messages in
explicit-proxy traffic can be authenticated and their credentials
inherited by the messages decrypted. Squid should be doing that. But
again cannot do it for the fake/synthetic ones it generates itself on
intercepted port 443 traffic.

So the question becomes, why are foo and bar ACLs not matching?
 http_access rules are applied separately to the CONNECT wrapper message
and to the decrypted non-CONNECT HTTP message(s).


More information about the squid-users mailing list