[squid-users] SSL Bump Issue
Amos Jeffries
squid3 at treenet.co.nz
Fri Mar 4 04:39:51 UTC 2016
On 4/03/2016 11:57 a.m., Ali Jawad wrote:
> Hi
> I am using Squid
>
> [root at kgoDcyTx9 squid]# /squid/sbin/squid -v
>
> Squid Cache: Version 3.4.9
When using SSL-Bump functionality first port of call is to ensure you
are using the latest release.
Today that is 3.5.15 (though I recommend the snapshot tarball instead of
the main one). Or 4.0.7 beta.
>
> Config Options
>
>
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/squid/etc/squid/ssl_cert/myca.pem
> key=/squid/etc/squid/ssl_cert/myca.pem
>
>
<snip outdated settings>
>
> Iptables Rule
>
> iptables -t nat -A PREROUTING -p tcp --dport 443 --destination
> 162.220.xx.xx -j REDIRECT --to-ports 3129
>
So what happens to the Squid traffic going to port 443 ?
>
> The problem :
>
> There are no certificate errors in the cache log and access log appears to
> log the requested URL, the problem is that Squid shows the error below,
> from the looks of it Squid is trying to send the request to itself on its
> own IP, my assumption is that Squid is not able to detect the proper
> destination during bump "through a config fault of my own" or a missing
The machine NAT system tells Squid what the destination is supposed to be.
> step. Please advice :
>
> The following error was encountered while trying to retrieve the URL:
> ://162.220.xx.xx:443
> <https://ipv6_1.lagg0.c052.lhr004.ix.nflxvideo.net/://162.220.244.7:443>
>
> *Connection to 162.220.244.7 failed.*
>
Is "162.220.244.7" your Squid IP?
Amos
More information about the squid-users
mailing list