[squid-users] ssl-bump does not redirect to block page

[Alex Rousskov]

On 2/12/19 7:21 AM, leomessi983 at yahoo.com wrote:

> Do i have to use CA and Certificate configuration if i want to block
> only HTTPS requests with splice action?!

IIRC, you currently need a CA certificate if you want to use SslBump,
regardless of the SslBump actions in use. In some ways, this is a
limitation of the current SslBump implementation rather than a natural
requirement, but the CA certificate is needed when Squid reports an
error to the client because Squid has to bump the client connection to
report errors.

If you do not care what happens when handling errors, then you probably
do not need to configure dynamic certificate generation. I have not
tested that, but I assume that, when reporting errors in that case,
Squid will silently revert to using the old code that generates
self-signed certificates (and the client will not trust them).


Please note that it is not clear what you mean by "to block with splice
action" -- splice does not block anything. If you are blocking requests
using http_access rules, then Squid is probably using an (implicit) bump
action to report blocking to the client, as discussed above. Blocking is
an example of errors that may happen even when you do not explicitly
bump any requests.

Alex.


> https_port 3130 tproxy ssl-bump \
>   cert=/etc/squid/ssl_cert/myCA.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>   sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB