[squid-users] SSL intercept in explicit mode
MK2018
mohammed.khallaf at gmail.com
Fri Apr 13 22:05:57 UTC 2018
Aaron Turner wrote
> Thanks Yuri. That helps. As for the "sslproxy_flags
> DONT_VERIFY_PEER", yes I understand the risks. In my specific case,
> where my "users" are actually a bunch of automated web clients doing
> some web crawling it's the right thing to do.
> --
> Aaron Turner
I tried using bump all myself with actual human beings (200+) using browsers
ranging from Mozilla Firefox, Seamonkey, Chrome, to Safari and Opera.
I don't know why I had to face it, but with bump all I got many errors with
many websites. It only worked with me like this:
http_port 3128 ssl-bump cert=/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=999MB
sslcrtd_children 100
ssl_bump none BadSSL
ssl_bump server-first all
Like you see, I'm using server-first word in place of bump word. This is the
only way I got it to work with natural human browsing. I also could not use
intercept mode, because every major browser considers it a crime to let it
go! They would just spit all sorts of errors at user's face and have you
clean the spitting up :D :D
Of course, BadSSL above is the ACL for all sites using the new fiasco of
hardcoded certificates (certificate-pinning), otherwise, they don't pass at
all!
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list