[squid-users] Trying to set up SSL cache - solved!

[Matus UHLAR - fantomas]

On 23.02.22 21:09, Dave Blanchard wrote:
>OK--I solved the problem by removing the "ssl_bump bump all" line. Works fine now.
>
>Damn, this proxy is a TOTAL PAIN IN THE ASS!!  to configure.

configuring proxy is very easy, bumping SSL is not.

Since SSL is designed to encrypt traffic between ende - client (browser) and 
server, you need to effectively do man-in-the-middle attack on proxied 
connection.

You need to create certificate authority, install it in your browser (OS), 
insert your certificate on squid and hope that your browser won't reject 
your authority because of DANE DNS records telling browser that remote 
server's certificate should be only signed by their certificate 
authority, not by yours.

Especially when browser uses DNS-over-HTTP to avoid your DNS server that is 
able to provide incorrect data to it.

> It seems like 90% of the tutorials out there are junk, largely because 
> things keep changing from version to version, obsoleting them.

unfortunately, this exactly happens.

>  That having been said, 
> it does have a lot of features and when it's eventually configured right 
> it does work, so there's that.  It's a lot like CUPS, in that way, or 
> sendmail.
>
>Please add more concrete examples to the Wiki reference pages! Thank you.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.