<div dir="ltr">@Alex, could you please share the config options that you set while building squid for ssl-bumping. I have been having real tough times in getting it right. Also, which OS are you running it on?<div><br></div><div>My use case is to enable ssl-bump and cache https content. (documents/videos etc, that are downloaded from an SSL enabled site) </div></div><div class="gmail_extra"><br><div class="gmail_quote">On 9 February 2016 at 06:54, Alex Samad <span dir="ltr"><<a href="mailto:alex@samad.com.au" target="_blank">alex@samad.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi<br>
<br>
Got this working. wondering what the benefits are, wandering around<br>
google, you tube, facebook not seeing much cache. Atleast I can pass<br>
downloads through clamav...<br>
<br>
Are other people seeing caching of these sites ??<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On 9 February 2016 at 11:09, Alex Samad <<a href="mailto:alex@samad.com.au">alex@samad.com.au</a>> wrote:<br>
> got the ACL backwards<br>
><br>
> # ssl-bump<br>
> # pick up from a file<br>
> #acl NoBump ssl::server_name /etc/squid/lists/noSSLPeek.lst<br>
><br>
> # Alex test machine<br>
> acl testIP src 10.172.208.105<br>
><br>
> # for testing<br>
> acl haveServerName ssl::server_name .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a><br>
><br>
><br>
> # Do no harm:<br>
> # Splice indeterminate traffic.<br>
> ssl_bump splice ! testIP<br>
> ssl_bump splice NoBump<br>
> ssl_bump bump haveServerName<br>
> ssl_bump peek all<br>
> ssl_bump splice all<br>
><br>
> On 9 February 2016 at 10:52, Alex Samad <<a href="mailto:alex@samad.com.au">alex@samad.com.au</a>> wrote:<br>
>> Hi<br>
>><br>
>> Starting to look at ssl-bump found<br>
>> <a href="http://wiki.squid-cache.org/Features/SslPeekAndSplice" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/Features/SslPeekAndSplice</a><br>
>> <a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit</a><br>
>><br>
>> I gather I need to modify my http_port to look someting like<br>
>><br>
>> http_port 3128 ssl-bump \<br>
>> cert=/etc/squid/ssl_cert/myCA.pem \<br>
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>
>><br>
>><br>
>> from http_port 3128<br>
>><br>
>> I have generated a int CA of our internal CA, the cert option above<br>
>> points to a pem file. does that have pub and private in there ?<br>
>><br>
>> I wanted to tested this on a specif ip so using<br>
>><br>
>> # pick up from a file<br>
>> acl NoBump ssl::server_name /etc/squid/lists/noSSLPeek.lst<br>
>> acl NoBump src <testip><br>
>><br>
>> # for testing<br>
>> acl haveServerName ssl::server_name <a href="http://google.com" rel="noreferrer" target="_blank">google.com</a><br>
>><br>
>><br>
>> # Do no harm:<br>
>> # Splice indeterminate traffic.<br>
>> ssl_bump splice NoBump<br>
>> ssl_bump bump haveServerName<br>
>> ssl_bump peek all<br>
>> ssl_bump splice all<br>
>><br>
>><br>
>> The way i read this is if I come from an address other then the<br>
>> testip. the connect goes through.<br>
>> But for the test ip I try and peek and if not splice .<br>
>><br>
>> Create and initialize SSL certificates cache directory <<< where do I<br>
>> set this directory in squid config ?<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br></div>