[squid-users] Trusted CA Certificate with ssl_bump

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 16 12:27:36 UTC 2016

On 16/11/2016 9:11 p.m., Patrick Chemla wrote:
> Hi,
> I have same problem, and I need to use trusted CA certificates, so what
> is the solution?

Not to do illegal bad things that violate your contract with the CA.

Any CA which lets you intercept traffic by generating sub-certificates
with their root *will* be blacklisted and effectively "thrown off the
Internet". It has happened already for several CA who thought that was
an idle threat.

> I have a squid 3.5.20 used for multiple domains, multiple backends,
> using both HTTP and HTTPS.

As Alex said, what you describe here sounds a lot more like
reverse-proxy than interception.

Sergey who started this thread was intercepting HTTPS traffic sent by
clients to an explicit proxy. All answers so far have been about that
topic, which is probably *not* what you are facing.

The configurations and limitations are very different. So first thing to
do is be clear about what actually you are trying to do.

> So questions:
> 1/ Should I set up the squid certificate with ONLY self-signed, or there
> is a way to use Trusted certificates? So if only self-signed, the user
> will be always forced to accept the self-signed certificate on first
> time? not really good for commercial sites.

Are you the owner of the website(s) or an authorized CDN/Hosting
provider for them ?

> 2/ Should the backend cache_peer set as ssl on port 443, or could it be
> simple http 80 (backends are internal VMs onto the same server, no
> external network between squid and backends)?

That depends on your answer to the above.

> 3/ Will the acls rules work OK to affect each request to the right
> backend according to domain, even in HTTPS?

Yes. But the detail may not be what you expect. It depends on the above

> 4/ Do you know some clear and easy howto, examples, for such settings,
> from where I could get how to do?

<http://wiki.squid-cache.org/ConfigExamples/> contains all of the
configurations you might need. But which one(s) are correct for you
depends on what you are actually needing to do.


More information about the squid-users mailing list