<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Thanks Alex, that was very helpful.</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Based on your explanation, I just want to use squid as a blind TCP tunnel carrying the HTTPS connection from client to app server. </div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">In that case, I don't need to use ssl_bump feature and the ssl_crtd program for certificate management, is that correct?</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Would this config file work to setup the TCP tunnel --</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default"><font face="tahoma, sans-serif">acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a> # RFC1918 possible internal network</font><br></div><div class="gmail_default"><font face="tahoma, sans-serif">acl SSL_ports port 443</font></div><div class="gmail_default">acl Safe_ports port 80 # http<br></div><div class="gmail_default">acl Safe_ports port 21 # ftp</div><div class="gmail_default">acl Safe_ports port 443 # https</div><div class="gmail_default">acl Safe_ports port 70 # gopher</div><div class="gmail_default">acl Safe_ports port 210 # wais</div><div class="gmail_default">acl Safe_ports port 1025-65535 # unregistered ports</div><div class="gmail_default">acl Safe_ports port 280 # http-mgmt</div><div class="gmail_default">acl Safe_ports port 488 # gss-http</div><div class="gmail_default">acl Safe_ports port 591 # filemaker</div><div class="gmail_default">acl Safe_ports port 777 # multiling http</div><div class="gmail_default"><font face="tahoma, sans-serif">acl CONNECT method CONNECT<br></font></div><div class="gmail_default"><font face="tahoma, sans-serif"># Deny requests to certain unsafe ports<br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">http_access deny !Safe_ports<br></font></div><div class="gmail_default"><font face="tahoma, sans-serif"># Deny CONNECT to other than secure SSL ports<br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">http_access deny CONNECT !SSL_ports<br></font></div><div class="gmail_default"><font face="tahoma, sans-serif"><div class="gmail_default"># Only allow cachemgr access from localhost</div><div class="gmail_default">http_access allow localhost manager</div><div class="gmail_default">http_access deny manager</div><div class="gmail_default"><div class="gmail_default"><div class="gmail_default">http_access allow localnet</div><div class="gmail_default">http_access allow localhost</div></div><div class="gmail_default"># And finally deny all other access to this proxy</div><div class="gmail_default">http_access deny all</div><div><br></div><div><div># Squid normally listens to port 3128</div><div>http_port 3128</div></div></div></font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">dns_v4_first on<br></font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif"><div class="gmail_default">## Allow server side certificate errors such as untrusted certificates, otherwise the connection is closed for such errors</div><div class="gmail_default">sslproxy_cert_error allow all</div><div class="gmail_default"><br></div><div class="gmail_default">## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all')</div><div class="gmail_default">sslproxy_flags DONT_VERIFY_PEER</div></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Dec 12, 2018 at 3:49 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 12/12/18 12:58 PM, subhish.pillai wrote:<br>
<br>
<br>
> 1. What is the difference between SSL bumping and SSL interception? <br>
<br>
These concepts describe activities at different layers:<br>
<br>
* SSL bumping is, in Squid context, inspection of SSL traffic that often<br>
also involves impersonating the origin server and decrypting encrypted<br>
HTTP traffic (i.e. a MitM attack on the client-server HTTPS communication).<br>
<br>
* SSL interception is, in this context, directing (TCP/IP traffic that<br>
presumably carries) SSL traffic off its "natural" TCP/IP path so that it<br>
gets to Squid. Interception itself works at protocol layers below SSL<br>
and HTTP. What happens when the SSL traffic gets to Squid is outside<br>
"SSL interception" scope.<br>
<br>
Usually, folks intercept SSL traffic to bump it, but YMMV. It is<br>
possible, for example, to simply log TCP-level information about the<br>
intercepted traffic without any MitM attacks on SSL.<br>
<br>
<br>
> 2. What is the difference between "http_port 3128 intercept" and "http_port<br>
> 3128 transparent"? Do i need to setup the http_port as either of these?<br>
<br>
The difference is in whether Squid impersonates the IP client, but you<br>
need neither because your "clients are explicitly configured to connect<br>
through the proxy server". You do not need to divert traffic from its<br>
natural TCP/IP path to proxy it because that natural TCP/IP path already<br>
goes through your proxy.<br>
<br>
<br>
> 3. Do I need to create self-signed certs on the proxy server and distribute<br>
> it to the client and application server?<br>
<br>
* Yes if you want to inspect encrypted HTTP traffic of your client<br>
application (i.e. get to the HTTP stuff inside the SSL layer).<br>
<br>
* Yes if you want client to be able to read Squid-generated error pages.<br>
<br>
* No otherwise. In this case, Squid will be just a blind TCP tunnel.<br>
<br>
<br>
What do you want to use Squid for? The answer to that question has a<br>
significant effect on your Squid configuration.<br>
<br>
<br>
> # And finally deny all other access to this proxy<br>
> http_access allow all<br>
<br>
FWIW, your rule does not match the comment and creates an open proxy.<br>
Both are bad.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><p style="font-size:12.8px;margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><b><span style="font-size:10pt;font-family:Arial,sans-serif">Subhish Pillai</span></b><span style="font-size:9.5pt;font-family:Arial,sans-serif"></span></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><font color="#444444"><span style="font-size:8pt;font-family:Arial,sans-serif">R&D Software Quality Engineer</span><span style="font-family:Arial,sans-serif;font-size:9.5pt"></span></font></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><font color="#444444"><span style="font-size:8pt;font-family:Arial,sans-serif">Broadcom | Brocade Storage Networking</span><span style="font-size:9.5pt;font-family:Arial,sans-serif"></span></font></p><p style="margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><span style="font-size:8pt;color:rgb(68,68,68);font-family:Arial,sans-serif">T (720) 462-2900</span><br></p><p style="font-size:12.8px;margin:0in 0in 0.0001pt;background-image:initial;background-position:initial;background-repeat:initial"><img src="https://broadcom.okta.com/bc/image/fileStoreRecord?id=fs09tph49bX08lpVi0x7" width="200" height="33"></p></div></div></div></div></div></div></div></div>