[squid-users] SSL-BUMP blackhole instance configuration

Eliezer Croitoru eliezer at ngtech.co.il
Tue Sep 26 21:35:55 UTC 2017

Hey All,

I have been working on couple tools which are using my drbl-peer library.
- external acl helper
- dns blacklist server
- and couple others..

I took a dns proxy server named grimd and upgraded it since the developer
didn't responded fast enough.
This dns proxy has a nice feature that allows it to "blackhole" A and AAAA
queries for blacklisted domains.
I can define the IPv4 and IPv6 host which will be the "blackhole" and it's
all playing well with plain HTTP(port 80).
But with HTTPS I want to be able to intercept all traffic and pass it into
the http cache-peer.
I am not sure what would be the best way to do it with squid but I was
thinking about something like:
- peek client SNI
- bump client first(compared to server first)

And I can use the same Root CA key+certificate that exists on the main squid
on interception instance.
I am not sure what version of Squid-Cache to use for this test (3.5.27 or
The main thing I am not sure about such a setup is that the target ip:443
would be the "blackhole" squid instance itself and not the original server
ip address.
Would it matter at all if the destination ip is the Squid instance on port
(I will try to use iptables nat REDIRECT from port 443 to 23129 which would
be an intercept port)


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

More information about the squid-users mailing list