[squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

Amos Jeffries squid3 at treenet.co.nz
Tue May 19 11:15:41 UTC 2020


On 18/05/20 10:15 am, David Touzeau wrote:
>   
> 
> Hi we want to use squid as * * * Secure Proxy * * * using https_port
> We have tested major browsers and it seems working good.
> 
> To make it work, we need to deploy the proxy certificate on all browsers
> to make the secure connection running.
> 
> In this case, squid forward requests without decrypting them.because
> ssl-bump is not added.
> 
> But Adding the ssl-bump in https_port is not permitted :
> 
> "sl-bump on https_port requires tproxy/intercept which is missing"
> 
> why bumping is not allowed ?
> 

Because origin server and explicit proxy traffic are mutually exclusive
syntax at the HTTP level, and use different types of SSL certificate at
the TLS level.

A "Secure proxy" receives explicit-proxy HTTP traffic over TLS. That
traffic gets decrypted normally on receipt by the https_port, using a
proxy server certificate.

SSL-Bump auto-generates a server certificate to decrypt with, and
expects origin form HTTP syntax once decrypted.


HTTPS traffic as we know it (CONNECT tunnels to port 443) might still be
sent to a secure proxy. In which case there are two layers of encryption
nested inside each other. Decrypting the interior layer of at is not yet
supported by Squid.


Amos


More information about the squid-users mailing list