[squid-users] squid-users Digest, Vol 52, Issue 13

Alex Rousskov rousskov at measurement-factory.com
Tue Dec 18 16:01:58 UTC 2018

On 12/18/18 8:40 AM, Mike Quentel wrote:

> ssl_bump peek step1 all
> ssl_bump peek step2 tls_servers
> ssl_bump splice step3 tls_servers
> ssl_bump stare step2
> ssl_bump bump step3
> ssl_bump terminate step2 all

Just FYI: The above should be equivalent to the following simpler, less
misleading, and a bit faster configuration:

  ssl_bump peek step1

  ssl_bump peek tls_servers
  ssl_bump stare all

  ssl_bump splice all
  ssl_bump bump all

> attempting to access https://www.google.com will still download
> the page (200).

You have told Squid to allow that (and nearly every other) access:

> http_access allow SSL_ports

What you probably want is something like this:

  http_access deny CONNECT !SSL_ports
  http_access allow url_domains
  http_access allow tls_servers
  http_access deny all

but if you add http_port (or do not want to trust Squid with enforcing
connection pinning), then you will be better off with the default rules
that also prohibit access to !Safe_ports.



More information about the squid-users mailing list