[squid-users] Header Detection Post SSL Bump in Squid 4.10
Amos Jeffries
squid3 at treenet.co.nz
Thu Apr 16 06:02:34 UTC 2020
On 16/04/20 5:15 pm, shubham jain wrote:
> Hi,
>
> *Context*:
> I want to use Squid as a forward proxy, where I want to
> 1) send all the Image requests directly, presumably using request header
> 'accept'
> 2) send all other requests through a cache peer Proxy service
>
> The req_header directive is working fine for HTTP Requests, but not for
> HTTPS.
>
> I've done the setup for SSL Bump in here and that's giving decrypted
> HTTPS requests in the access.log as well.
>
> *Issue:*
> The req_header directive is not working on the decrypted HTTPS requests.
>
> *Squid.conf*
>
> # SSL Bump Port
> http_port 127.0.0.1:3128 <http://127.0.0.1:3128> ssl-bump
> cert=/usr/local/etc/cert/example.com.cert
> key=/usr/local/etc/cert/example.com.private
> generate-host-certificates=on version=1 options=SINGLE_DH_USE
>
> # SSL Bump Config
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> acl imageIsBlocked req_header accept -i image
>
> ssl_bump terminate imageIsBlocked #terminate is just for testing, to
> be replaced by splice
> ssl_bump bump all
Do the CONNECT tunnels Accept headers contain "image" ?
ssl_bump decides what to do during the TLS handshake process. For your
setup that is only the CONNECT requests.
Once decrypted HTTPS is just HTTP with https:// URLs schemes. It is
controlled by http_access and does not pass through ssl_bump rules again.
Amos
More information about the squid-users
mailing list