[squid-users] ssl-bump
Alex Samad
alex at samad.com.au
Mon Feb 8 23:52:12 UTC 2016
Hi
Starting to look at ssl-bump found
http://wiki.squid-cache.org/Features/SslPeekAndSplice
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
I gather I need to modify my http_port to look someting like
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
from http_port 3128
I have generated a int CA of our internal CA, the cert option above
points to a pem file. does that have pub and private in there ?
I wanted to tested this on a specif ip so using
# pick up from a file
acl NoBump ssl::server_name /etc/squid/lists/noSSLPeek.lst
acl NoBump src <testip>
# for testing
acl haveServerName ssl::server_name google.com
# Do no harm:
# Splice indeterminate traffic.
ssl_bump splice NoBump
ssl_bump bump haveServerName
ssl_bump peek all
ssl_bump splice all
The way i read this is if I come from an address other then the
testip. the connect goes through.
But for the test ip I try and peek and if not splice .
Create and initialize SSL certificates cache directory <<< where do I
set this directory in squid config ?
More information about the squid-users
mailing list