[squid-users] Transparent HTTPS Squid proxy with upstream parent
Amos Jeffries
squid3 at treenet.co.nz
Tue Nov 24 05:26:07 UTC 2015
On 24/11/2015 5:49 p.m., Michael Ludvig wrote:
> Hi Amos
>
> On 09/11/15 12:55, Amos Jeffries wrote:
>> On 9/11/2015 11:55 a.m., Michael Ludvig wrote:
>>> [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS ->
>>> [target]
>>>
>>> Can you provide some config hints for both proxies please? The
>>> SSL-related bits only as that's the unclear part.
>> my_proxy:
>> cache_peer example.com 3129 0 ssl
>>
>> upstream_proxy:
>> https_port 3129 cert=/path/to/cert
>
> This works well when the [client] has $https_proxy set to point to
> [my_proxy] - it then talks SSL to [upstream_proxy] and things work nicely.
>
That is for what you documented:
[client] -> HTTPS -> [my_proxy]
> However with transparent proxy / sslbump on [my_proxy] I keep getting:
>
That is two separate and entirely different traffic types:
A) [client] -> HTTP--(NAT)--> [my_proxy]
B) [client] -> TLS--(NAT)--> [my_proxy]
(A) requires "http_port ... intercept ssl-bump cert=/path/to/cert"
(B) requires "https_port ... intercept ssl-bump cert=/path/to/cert"
above is the minimum configuration. The generate-* etc settings you
mention below are useful as well.
> Failed to establish a secure connection to 10.205.28.183 (=this is
> [upstream_proxy])
> The system returned:
> [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
> Certificate does not match domainname: /C=NZ/O=Example
> CA/CN=parent.example.com
>
> On [my_proxy] I've got:
> https_port 8443 intercept ssl-bump generate-host-certificates=on \
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/intermediate.pem
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
This is bumping with only the client details known. In order to
impersonate the server you also need to fetch the server details (peek
or stare at step2), then bump at step3.
Aymeric also recently found a bug in the SNI details being sent to
peers. The very latest 3.5 snapshot may be needed as well as the step2
config change.
Amos
More information about the squid-users
mailing list