[squid-users] ssl-bump and accel
Nir Krakowski
nir.kra at gmail.com
Fri Jan 8 18:48:00 UTC 2016
This is what needs to be done to get it to work in squid >3.5 in function
ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const
Dns::LookupDetails &dns):
modify:
}
debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << "
possible from Host:");
to:
}
if (!Config.onoff.hostStrictVerify) {
if ((ia != NULL) && (ia->count > 0)) {
unsigned short _port = clientConn->local.port();
clientConn->local = ia->in_addrs[0];
clientConn->local.port(_port);
http->request->flags.hostVerified = true;
http->doCallouts();
return;
}
}
debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << "
possible from Host:");
On Wed, Jan 6, 2016 at 2:14 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 6/01/2016 8:30 a.m., Nir Krakowski wrote:
> > how can you combine accel proxy with ssl-bump ?
> >
>
> To use accel mode the proxy needs to be an origin for the domain and
> thus have access to the servers TLS private keys. If you have those keys
> just use a normal https_port (note the 's') to receive the traffic - no
> bumping (TLS MITM) required.
>
>
> > the problem: intercept mode looks at IP addresses
> >
> > requested solution: we need to look at the SNI info..
>
> You dont seem to understand intercept mode. It is TCP level MITM.
> All the proxy receives from TCP is IP address and port details. So those
> are considered *first*.
>
> Only if those details are acceptible (in the form of "CONNECT raw-IP
> HTTP/1.1") does Squid go on to do the additional complexity of MITM at
> the TLS level.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160108/b4799b2c/attachment.html>
More information about the squid-users
mailing list