[squid-users] Squid 4.4 https_port and ssl-bump : Fatal bungled line

Ronan Lucio ronanlucio at gmail.com
Wed May 27 00:08:00 UTC 2020


Hi Ben,

I made working just using https_port (without ssl-bump).

I think it's a good way to secure squid authentication.
You can also use some tool (like certbot) to generate and
automatically renew certificates, so you can work with a short period
expiration time.

Hope that helps,
Ronan

On Tue, May 26, 2020 at 12:10 AM ben benml <ben.maling42 at gmail.com> wrote:
>
> Hello,
>
> Thank you for your prompt and precise answer.
>
> Well I'm permit myself another question, sorry. If you have an opinion about securing the authentification without https_port :
> With a FreeIPA central users directory, what could be the best way to secure/protect the  authentication process, the login/password.
> Or more generally what could be the best options to secure the login/password with only the http_port. So no directly encrypted traffic.
>
> I was assuming https connection could secure the authentication process .. but if ssl-dump  is really wanted, so I need another options to secure the login/password.
>
> Did you see my point / what I'm trying to talk about ?
>
> Thank you in advance.
>
> Regards,
>
>
> Le lun. 25 mai 2020 à 12:26, Amos Jeffries <squid3 at treenet.co.nz> a écrit :
>>
>> On 25/05/20 9:59 pm, ben benml wrote:
>> > Hello,
>> >
>> > I'm contacting you for some help.
>> > I need to deploy a secure proxy based on Squid.
>> >
>> > I try to use https_port combined with sslbump. I get an error message
>> > about a bungled line.
>> >
>> > The reasons I want to do this :
>> > - secure connection between the client browser and the proxy server, so
>> > using https_port to do it. encrypted  traffic in TLS between the client
>> > and the server.
>>
>> Fine. Simply using https_port does that.
>>
>> > - secure login connection. So I need to use https_port to do this.
>>
>> Fine. Simply using https_port does that.
>>
>> > - Do ssl inspection of the traffic goeing through the proxy
>>
>> Squid does not yet support SSL-Bump decrypt of traffic already being
>> decrypted for the secure proxy.
>>
>>
>> Please see
>> <http://lists.squid-cache.org/pipermail/squid-users/2020-May/022120.html> if
>> you want details.
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list