[squid-users] squid-users Digest, Vol 52, Issue 13
Alex Rousskov
rousskov at measurement-factory.com
Tue Dec 18 16:01:58 UTC 2018
On 12/18/18 8:40 AM, Mike Quentel wrote:
> ssl_bump peek step1 all
> ssl_bump peek step2 tls_servers
> ssl_bump splice step3 tls_servers
> ssl_bump stare step2
> ssl_bump bump step3
> ssl_bump terminate step2 all
Just FYI: The above should be equivalent to the following simpler, less
misleading, and a bit faster configuration:
ssl_bump peek step1
ssl_bump peek tls_servers
ssl_bump stare all
ssl_bump splice all
ssl_bump bump all
> attempting to access https://www.google.com will still download
> the page (200).
You have told Squid to allow that (and nearly every other) access:
> http_access allow SSL_ports
What you probably want is something like this:
http_access deny CONNECT !SSL_ports
http_access allow url_domains
http_access allow tls_servers
http_access deny all
but if you add http_port (or do not want to trust Squid with enforcing
connection pinning), then you will be better off with the default rules
that also prohibit access to !Safe_ports.
HTH,
Alex.
More information about the squid-users
mailing list