[squid-users] SSL Bump for regex URL comparison

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 16 08:15:02 UTC 2017 

On 16/11/17 02:32, Joe Foster wrote:
> Good afternoon,
> 
> I have a small router onto which I have installed Squid.
> 
> I am trying to filter HTTPS urls for bad words on a blocked list.
> 
> It will require the client on the safe side of the router to install the
> certificate, this isn't an issue as it's an open process and not an
> illigal MITM attack.
> 
> Below is my squid.conf
> 
> As you will see I have been playing around with where to put the code
> and what code to put in.
> 
> I only have a small amount of flash drive so I have put the auto-gen
> cert directory in /tmp/. I am aware this is volatile memory but until I
> have a better solution I will be doing this.

Since /tmp is subject to random deletion of content you will need to 
make sure you always shutdown Squid and re-run the ssl_crtd (etc.) 
create command to re-generate the cert DB structures whenever the device 
erases its /tmp content. Otherwise your proxy will crash and/or client 
connections will start being terminated with strange looking errors.


IMO you would probably be better off setting the cert DB to a very small 
size suitable for your limited space - or disabling it entirely [more on 
that below].

> 
> I have put a firewall rule in to forward 443 to 3128.
> 
> https://wiki.squid-cache.org/Features/SslBump
> https://wiki.squid-cache.org/SquidFaq/SquidAcl
> 
> I also don't want to cache due to flash drive issues. Is this possible?
> 

 From the documentation of the SSL-Bump settings:
  <http://www.squid-cache.org/Doc/config/http_port/>
"
   dynamic_cert_mem_cache_size=SIZE
     Approximate total RAM size spent on cached generated
     certificates. If set to zero, caching is disabled. The
     default value is 4MB.
"

> Its the same cert in /root/ and /certs/ before anyone points it out.
> 
> Nothing has been appearing in the log files either but this is no
> surprise.
> 
> Been up till 1am last few nights on this so you assistance is very
> appreciated.

That sounds like you are having a problem. But I don't see any mention 
of what that is exactly.

Amos

More information about the squid-users mailing list