[squid-users] ssl-bump and accel

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 6 00:14:58 UTC 2016


On 6/01/2016 8:30 a.m., Nir Krakowski wrote:
> how can you combine accel proxy with ssl-bump ?
> 

To use accel mode the proxy needs to be an origin for the domain and
thus have access to the servers TLS private keys. If you have those keys
just use a normal https_port (note the 's') to receive the traffic - no
bumping (TLS MITM) required.


> the problem: intercept mode looks at IP addresses
> 
> requested solution: we need to look at the SNI info..

You dont seem to understand intercept mode. It is TCP level MITM.
All the proxy receives from TCP is IP address and port details. So those
are considered *first*.

Only if those details are acceptible (in the form of "CONNECT raw-IP
HTTP/1.1") does Squid go on to do the additional complexity of MITM at
the TLS level.

Amos



More information about the squid-users mailing list