[squid-users] Fwd: Modifying squid

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 22 11:14:56 UTC 2016 

On 22/03/2016 10:07 p.m., Ģirts Dālbergs wrote:
> Good day to You on the other side!
> Not sure where to ask this, so I`m just going to do it here. If this is
> the wrong place, please redirect me to the appropriate one.
> I`m a squid user and an administrator in a company and I`ve been
> requested to produce a HTTPS traffic inspection tool. I`ve decided to
> use your software, but I would need to be able to act more freely with
> the traffic at its unencrypted state. More specifically I would like to
> pass the traffic through Suricata software first. I understand that
> there is an "outline" option to suricata that I even would know how to
> configure to work, but I need it to be inline with squid to be able to
> drop traffic if needed. Suricata only works with unencrypted traffic and
> even if I feed it the encryption key, so I need to be able to run squid
> -> decrypt the traffic and apply some rules -> pass it to suricata for
> serious inspection -> pass it back to squid (if not dropped) -> encrypt
> it as normal and forward it. I`ve been turning the internet upside down
> for an open source solution for this issue, that provides whitelisting,
> automatic certificate generation and ability to work with an IPS inline.
> None do so, but squid is the best option since it does everything asked
> besides the IPS. So I would like to know if you could give me some
> answers to questions:
> Are you planning to develop such an option in the future?

No. Because the below. And because Squid is tightly focussed on the
proxying task which is plenty complex enough already.

> Is there a way to do this now?

ICAP and eCAP interfaces are provided by Squid-3 and later for all
adaptation needs that go beyond simple HTTP header adjustment.

If that Suricata software supports ICAP(S) it can be plugged straight
into a Squid already to receive the SSL-Bump decoded traffic.

Otherwise you might need to write up a translator. In that case eCAP is
probably the simplest way to go. You just need to check which eCAP
library version(s) the Squid to be used supports/requires.

Amos

More information about the squid-users mailing list