[squid-users] ssl proxy and decrypted forwarding

Sam Castellano scastellano at quadrantsec.com
Fri Apr 17 16:00:11 UTC 2020

Thank you for the swift response Alex, my main goal is to be able to use suricata or snort to analyze the decrypted https traffic/payload. Suricata/Snort is looking at the interface and naturally will only see the https messages encrypted as the squid server receives the messages encrypted and sends them out encrypted. So I am actually trying to send the proxied https messages decrypted. I hope that makes sense.... Sorry if I misunderstood your explanation and all the help is greatly appreciated so thank you ! 

Best regards- 

Sam Castellano 

----- Original Message -----
From: "Alex Rousskov" <rousskov at measurement-factory.com>
To: "Sam Castellano" <scastellano at quadrantsec.com>, "squid-users" <squid-users at lists.squid-cache.org>
Sent: Friday, April 17, 2020 11:49:13 AM
Subject: Re: [squid-users] ssl proxy and decrypted forwarding

On 4/17/20 11:22 AM, Sam Castellano wrote:

> My question relates to ssl bumping and potentially Icap/Ecap
> functionality. I currently have ssl bump/ interception working and
> communicating with a local ICAP server. Im trying to understand the
> process of how the decrypted data gets sent to the ICAP server for
> analysis in things such as clamav etc. My goal is to have the decrypted
> traffic analyzed by Suricata preferably on a separate box if possible.  

I do not know what particular information you are looking for, but ICAP
mechanics are documented in RFC 3507 while eCAP mechanics are documented
at www.e-cap.org.

If you are worried about exposing proxied HTTP[S] messages in transit to
your ICAP service, then consider using a "Secure ICAP" service (for a
starting point, look for those two words in squid.conf.documented).

N.B. Neither ICAP nor eCAP know about SslBump. In an SslBump context,
they just get CONNECT requests and the HTTP messages decrypted by Squid.
The same is true for the majority of Squid features -- while inside
Squid, decrypted HTTP traffic is usually handled similar to plain HTTP


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2144 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200417/d40211b6/attachment.bin>

More information about the squid-users mailing list