[squid-users] Cannot configure squid 4.6 to splice without bumping
Alex Rousskov
rousskov at measurement-factory.com
Tue Nov 5 14:02:07 UTC 2019
On 11/5/19 1:26 AM, John Lowry wrote:
> I've tried many, many different settings and I always get traffic
> bumped. Here is an example:
> http_port 3128 intercept
>
> https_port 3129 intercept tls-cert=/etc/squid/ssl_cert/myCA.pem
> tls-key=/etc/squid/ssl_cert/myCA.pem
The above configuration does not enable SslBump features.
> ssl_bump peek step1
> ssl_bump peek step2
> ssl_bump splice step2
These rules are poorly written (the last one will never match), but they
are unused because the port directives do not enable SslBump.
If an SSL connection is bumped (or even peeked at!) with the above
configuration, then there is a Squid bug somewhere. However, I do not
think your TLS connections are actually bumped. Please see below.
> I've tried setting debug_options to 9 but cannot see anything useful in
> the logs to indicate why it is not splicing. I always just see the full
> set of request headers in the logs for HTTPS connections, indicating
> that the connection is bumped.
I suspect your Squid is acting as an intercepting HTTPS proxy: It
terminates all intercepted SSL connections as if they were directed at
the Squid instance itself. The end result will look similar to bumping
from "I can see the headers" point of view.
You may be able to tell the difference by looking at certificate
details: With an HTTPS proxy, all connections will have the same leaf
myCA.pem certificate as opposed to mimicked origin server certificate
signed by myCA.pem. There may be other, more obvious signs like the
details of the "Accepting..." lines that Squid reports at startup.
> One thing I did notice is that the ssl logformat options do not work. I
> get errors like this on restart:
> FATAL: Can't parse configuration token: '%ssl::>sni'
Was your Squid built with OpenSSL support? The details are
version-specific, but you can find them (and the configuration result)
using the following commands:
./configure --help | fgrep -5i ssl
squid -v
Alex.
More information about the squid-users
mailing list