[squid-users] HTTPS proxy setup questions

Alex Rousskov rousskov at measurement-factory.com
Wed Dec 12 22:49:09 UTC 2018

On 12/12/18 12:58 PM, subhish.pillai wrote:

> 1. What is the difference between SSL bumping and SSL interception? 

These concepts describe activities at different layers:

* SSL bumping is, in Squid context, inspection of SSL traffic that often
also involves impersonating the origin server and decrypting encrypted
HTTP traffic (i.e. a MitM attack on the client-server HTTPS communication).

* SSL interception is, in this context, directing (TCP/IP traffic that
presumably carries) SSL traffic off its "natural" TCP/IP path so that it
gets to Squid. Interception itself works at protocol layers below SSL
and HTTP. What happens when the SSL traffic gets to Squid is outside
"SSL interception" scope.

Usually, folks intercept SSL traffic to bump it, but YMMV. It is
possible, for example, to simply log TCP-level information about the
intercepted traffic without any MitM attacks on SSL.

> 2. What is the difference between "http_port 3128 intercept" and "http_port
> 3128 transparent"? Do i need to setup the http_port as either of these?

The difference is in whether Squid impersonates the IP client, but you
need neither because your "clients are explicitly configured to connect
through the proxy server". You do not need to divert traffic from its
natural TCP/IP path to proxy it because that natural TCP/IP path already
goes through your proxy.

> 3. Do I need to create self-signed certs on the proxy server and distribute
> it to the client and application server?

* Yes if you want to inspect encrypted HTTP traffic of your client
application (i.e. get to the HTTP stuff inside the SSL layer).

* Yes if you want client to be able to read Squid-generated error pages.

* No otherwise. In this case, Squid will be just a blind TCP tunnel.

What do you want to use Squid for? The answer to that question has a
significant effect on your Squid configuration.

> # And finally deny all other access to this proxy
> http_access allow all

FWIW, your rule does not match the comment and creates an open proxy.
Both are bad.



More information about the squid-users mailing list