[squid-users] SSL intercept in explicit mode

MK2018 mohammed.khallaf at gmail.com
Sat Apr 14 08:51:51 UTC 2018


Amos Jeffries wrote
> FYI this is "server-first all". peek and splice before "bump all" is
> similar but also different in ways that allow it to handle more problems
> in better ways.

I never really got to understand how to implement peek and splice verbs. I
was glad I could get away with server-first!

Any chance someone, or yourself, would rewrite a more detailed example of
how to use them?


Amos Jeffries wrote
> You do need the browser to trust your CA certificate. This is an
> absolute requirement of using SSL-Bump features. Always has been.

To my surprise back then, it was already trusted, but still browser had the
ability to detect interception and warn user about "something bad that is
going on"!

That is why I resorted to browser-aware, user-aware, and consented explicit
bumping. Others might envy me because in my network I managed to convince
management to apply a firewall rule to drop all traffic that does not come
from squid box :) :) which makes my setup unbreakable (and unaffordable to
fail).




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list