[squid-users] Bump and Splice

AndyBinder at gmx.de AndyBinder at gmx.de
Mon Feb 17 14:56:11 UTC 2020 

Am Montag, 17. Februar 2020, 10:37:20 CET schrieb Amos Jeffries:
> On 17/02/20 10:23 pm, AndyBinder wrote:
> > Hi, i have a question regarding the ssl-bump feature of squid.
> > I have set up multiple ports for transparent mode on loopback interface
> > and
> > one explicit on my real local interface. On the loopback interface the
> > parameters ssl-bump and intercept are set. On the explicit interface the
> > ssl- bump parameter is set. The ssl-bump is properly configured in acl.
> > The problem is that i can only configure bump and splice for both
> > (explicit and transparent).
> > I would like to achive different bumping behavior on the ports. For
> > example
> > bump on regular interface and splice all on loopback (transparent proxy).
> > The bumping behavior is configured globally and i don't see a possibility
> > to separate it per port.
> >
> > Maybe somebody has a hint for me?
>
> The myportname ACL type should work in ssl_bump directive. It matches
> against the name= parameter of port directives.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Thank You very much for your answer! But i think i am doing something wrong..
In brackets there are the changes i have made.

Sample snippet from my squid.conf:

    http_port 127.0.0.1:3128 name=transparent intercept ssl-bump cert=/var/
squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
    https_port 127.0.0.1:3129 name=transparent intercept ssl-bump cert=/var/
squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

    http_port 192.168.1.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem
dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

    sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/
squid/ssl_crtd -M 4MB
    sslcrtd_children 5

    tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!
eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

    acl bump_step1 at_step SslBump1
    acl bump_step2 at_step SslBump2
    acl bump_step3 at_step SslBump3
    acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/
nobumpsites.acl"
--> (acl bump_nobumpport myportname transparent)

    ssl_bump peek bump_step1 all
    ssl_bump peek bump_step2 bump_nobumpsites
--> (ssl_bump peek bump_step2 bump_nobumpport)
    ssl_bump splice bump_step3 bump_nobumpsites
--> (ssl_bump splice bump_step3 bump_nobumpport)
    ssl_bump stare bump_step2
    ssl_bump bump bump_step3

    sslproxy_cert_error deny all
...

More information about the squid-users mailing list