[squid-users] ssl-bump

ksv rgh ksvrgh at gmail.com
Tue Feb 9 10:17:20 UTC 2016 

@Alex, could you please share the config options that you set while
building squid for ssl-bumping. I have been having real tough times in
getting it right. Also, which OS are you running it on?

My use case is to enable ssl-bump and cache https content.
(documents/videos etc, that are downloaded from an SSL enabled site)

On 9 February 2016 at 06:54, Alex Samad <alex at samad.com.au> wrote:

> Hi
>
> Got this working. wondering what the benefits are, wandering around
> google, you tube, facebook not seeing much cache.   Atleast I can pass
> downloads through clamav...
>
> Are other people seeing caching of these sites ??
>
>
> On 9 February 2016 at 11:09, Alex Samad <alex at samad.com.au> wrote:
> > got the ACL backwards
> >
> > # ssl-bump
> > # pick up from a file
> > #acl NoBump ssl::server_name   /etc/squid/lists/noSSLPeek.lst
> >
> > # Alex test machine
> > acl testIP src  10.172.208.105
> >
> > # for testing
> > acl haveServerName ssl::server_name .google.com
> >
> >
> > # Do no harm:
> > # Splice indeterminate traffic.
> > ssl_bump splice ! testIP
> > ssl_bump splice NoBump
> > ssl_bump bump haveServerName
> > ssl_bump peek all
> > ssl_bump splice all
> >
> > On 9 February 2016 at 10:52, Alex Samad <alex at samad.com.au> wrote:
> >> Hi
> >>
> >> Starting to look at ssl-bump found
> >> http://wiki.squid-cache.org/Features/SslPeekAndSplice
> >> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> >>
> >> I gather I need to modify my http_port to look someting like
> >>
> >> http_port 3128 ssl-bump \
> >>   cert=/etc/squid/ssl_cert/myCA.pem \
> >>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> >>
> >>
> >> from http_port 3128
> >>
> >> I have generated a int CA of our internal CA, the cert option above
> >> points to a pem file. does that have pub and private in there ?
> >>
> >> I wanted to tested this on a specif ip so using
> >>
> >> # pick up from a file
> >> acl NoBump ssl::server_name   /etc/squid/lists/noSSLPeek.lst
> >> acl NoBump src  <testip>
> >>
> >> # for testing
> >> acl haveServerName ssl::server_name google.com
> >>
> >>
> >> # Do no harm:
> >> # Splice indeterminate traffic.
> >> ssl_bump splice NoBump
> >> ssl_bump bump haveServerName
> >> ssl_bump peek all
> >> ssl_bump splice all
> >>
> >>
> >> The way i read this is if I come from an address other then the
> >> testip. the connect goes through.
> >> But for the test ip I try and peek and if not splice .
> >>
> >> Create and initialize SSL certificates cache directory <<< where do I
> >> set this directory in squid config ?
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160209/1ac92f71/attachment.html>

More information about the squid-users mailing list