[squid-users] ssl-bump

Alex Samad alex at samad.com.au
Tue Feb 9 00:09:09 UTC 2016


got the ACL backwards

# ssl-bump
# pick up from a file
#acl NoBump ssl::server_name   /etc/squid/lists/noSSLPeek.lst

# Alex test machine
acl testIP src  10.172.208.105

# for testing
acl haveServerName ssl::server_name .google.com


# Do no harm:
# Splice indeterminate traffic.
ssl_bump splice ! testIP
ssl_bump splice NoBump
ssl_bump bump haveServerName
ssl_bump peek all
ssl_bump splice all

On 9 February 2016 at 10:52, Alex Samad <alex at samad.com.au> wrote:
> Hi
>
> Starting to look at ssl-bump found
> http://wiki.squid-cache.org/Features/SslPeekAndSplice
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> I gather I need to modify my http_port to look someting like
>
> http_port 3128 ssl-bump \
>   cert=/etc/squid/ssl_cert/myCA.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
>
> from http_port 3128
>
> I have generated a int CA of our internal CA, the cert option above
> points to a pem file. does that have pub and private in there ?
>
> I wanted to tested this on a specif ip so using
>
> # pick up from a file
> acl NoBump ssl::server_name   /etc/squid/lists/noSSLPeek.lst
> acl NoBump src  <testip>
>
> # for testing
> acl haveServerName ssl::server_name google.com
>
>
> # Do no harm:
> # Splice indeterminate traffic.
> ssl_bump splice NoBump
> ssl_bump bump haveServerName
> ssl_bump peek all
> ssl_bump splice all
>
>
> The way i read this is if I come from an address other then the
> testip. the connect goes through.
> But for the test ip I try and peek and if not splice .
>
> Create and initialize SSL certificates cache directory <<< where do I
> set this directory in squid config ?


More information about the squid-users mailing list