[squid-users] FW: FW: squid proxy 3.5 redhat 7.3

Madonna, A. (spir-it) A.Madonna at rechtspraak.nl
Tue Jun 6 14:22:27 UTC 2017


Hello,


Know issue 2012 squid proxy 3.2

http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss1.1
•SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers.

+ 5 years ago this already  was a known issue. Apparently even after + 5 years there is still proper solution. Can we expect anything regarding this in the near future?

This person already describes the issue in his blog and  offers a solution although its not perfect. 

https://www.mydlp.com/using-parent-proxy-ssl-bump-enabled-squid-3-2/


also it is still not clear to me if the traffic is encrypted again after leaving the squid proxy when doing ssl bump when using a parent proxy. 
Ssl_bump according to your wiki states that it decrypts and encrypts. However is it true if you are using a parent proxy (cache_peer) that the decrypted traffic does not get re-encrypted anymore, but is send clear text through the cache_peer ? 


-----Oorspronkelijk bericht-----
Van: Alex Rousskov [mailto:rousskov at measurement-factory.com] 
Verzonden: vrijdag 2 juni 2017 17:59
Aan: Madonna, A. (spir-it) <A.Madonna at rechtspraak.nl>; squid-users at lists.squid-cache.org
Onderwerp: Re: [squid-users] FW: squid proxy 3.5 redhat 7.3

On 06/02/2017 01:37 AM, Madonna, A. (spir-it) wrote:

> Clients -> squid proxy -> internet.
> This works with the config as previously mentioned.

OK.


> Clients -> squid proxy (with cache_peer) -> Parent Proxy (not Squid) 
> -> internet Does not work.

Even for regular HTTP traffic and non-bumped HTTPS traffic? If that traffic does not work, then you have misconfigured something or the Parent Proxy is badly broken. There is nothing special in the above setup as far as regular traffic is concerned.


> However I've also setup the following:
> 
> Cleints -> Squid Proxy (with cache_peer) -> Parent Proxy (Squid Proxy) 
> -> internet
> 
> This seems at least to work for http traffic, however, I don't see any HTTPS traffic coming into the Parent Proxy (Squid).

Squid does not know who made the parent proxy. The fact that one (presumably production-quality) proxy "does not work" and another "seems to work" implies that something is seriously misconfigured in one or both cases.


> Now this morning I will do some more tcpdumping to see where that traffic is going, but maybe you can already shed some light on this?

I cannot shed more light on problems described only as "does not work"
and "no traffic".

Alex.


> -----Oorspronkelijk bericht-----
> Van: Alex Rousskov [mailto:rousskov at measurement-factory.com]
> Verzonden: donderdag 1 juni 2017 18:49
> Aan: Madonna, A. (spir-it) <A.Madonna at rechtspraak.nl>; 
> squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] squid proxy 3.5 redhat 7.3
> 
> On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote:
>> can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).
> 
> IIRC, you may be able to use limited SslBump features, but not the full SslBump functionality: Peeking or staring at the origin server through a cache_peer is not supported (yet).
> 
> 
>> ssl_bump peek step1
>> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest
> 
> Bugs notwithstanding, the above combination should work because peeking at step1 does not require communication with a cache_peer and splicing at step2 should follow the regular (non-SslBump) tunneling path for CONNECTs, where modern Squids do support cache peers.
> 
> 
> I recommend that you make everything work without a cache_peer and then add a cache_peer.
> 
> Alex.
> 
> 
> ________________________________
> 
> Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list