[squid-users] Using a Baltimore root certificate in transparent ssl proxying

Lei Wen leiwen14 at gmail.com
Mon Apr 27 21:44:41 UTC 2020 

Hi,



We were able to set up the squid in a host to container infrastructure.
That is saying the squid is installed on host, proxying traffic from the
container on the same host. With transparent proxy including SSL traffic.

Another feature we enabled is request_header_access and
request_header_replace, to spoof and modify token in HTTP headers sending
to target dstdomain.



The issue we are having right now is the certificate installed on the
container is a self signed cert, we were trying to migrate this cert to a
real trusted CA cert, or a Baltimore root cert.

The issues seems to be in the subject name of the cert. In the self signed
cert, I simply leave everything blank. In the Baltimore root cert(squid.key
and squid.crt in below squid.conf example, request through Microsoft
internal service and it is Baltimore root), even if I have the dstdomain in
squid.conf as subject name(abc.microsoft.com in below squid.conf example),
I am still getting “server certificate verification failed” error in CURL.
Is there anything I am missing or it simply doesn’t support? In my
understanding, it should has no difference with squid as root CA signer in
self signed cert?



P.S. I do notice that it is illegal for a trusted CA to issue official cert
to squid because squid itself is man-in-the-middle, so Squid can only
accept self signed cert and squid as root CA? I tried to search the email
archive but no luck.



I have such a squid.conf



acl abc dstdomain .abc.microsoft.com

request_header_access Authorization deny abc

request_header_replace Authorization Basic
whateverYourTokeisButForBasicItHasToBeBase64Encoded

request_header_access All allow all



https_port 3129 cert=/etc/squid3/squid.crt key=/etc/squid3/squid.key
ssl-bump intercept generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB

acl SSL_port port 443

http_access allow SSL_port

acl allowed_https_sites ssl::server_name "/etc/squid3/ssl_sites.txt"



ssl_bump server-first all

always_direct allow all



acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1 all

ssl_bump peek step2 allowed_https_sites

ssl_bump splice step3 allowed_https_sites







Thanks,

Lei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200427/6034a3ba/attachment.html>

More information about the squid-users mailing list