[squid-users] [Fwd: Re: SSL Bump for regex URL comparison]
Amos Jeffries
squid3 at treenet.co.nz
Fri Nov 17 17:01:18 UTC 2017
On 18/11/17 01:45, Joe Foster wrote:
> Good morning,
>
> I have tried the attached but I still receive the same result.
>
> I have attached a screen shot to show what happens, its like there is no
> connection.
>
There isn't ...
> I have tried it with and without listing 3128 as a safe ssl port. I
> imagine its not needed as its generated from Squid.
>
> HTTPS isn't connecting, HTTP is though that's no surprise, I'm only
> diverting port 443 to port 3128.
Your port 3128 is configured to only accept plaintext HTTP traffic. It
cannot handle the TLS on port 443 traffic.
FWIW the "ssl-bump" option does not make an http_port capable of
receiving TLS. It just makes Squid attempt to decrypt the data tunneled
inside plain-text CONNECT requests (if any), in accordance with the
ssl_bump rules actions.
>
> There are no logs being generated so I cant find out more.
>
Most currently distributed Squid versions do not log connections that
fail with no HTTP activity happening on them. Except when debugging the
underlying TCP I/O activity.
> I can't for the life of me see what I'm doing wrong.
>
> Your advise if greatly received.
>
> Thank you
>
> Joe
>
>
> I have the below rule added to my firewall for the redirect:
> connection config redirect
> option proto 'tcp'
> option src 'lan'
> option src_ip '!192.168.1.101'
> option src_dport '443'
> option dest 'lan'
> option dest_ip '192.168.1.101'
> option dest_port '3128'
> option target 'DNAT'
>
NAT can only happen on the Squid machine itself. You must *route* the
packets without any type of DNAT prior to their arrival at the Squid device.
Amos
More information about the squid-users
mailing list