[squid-users] sslbump working with 3.4.9 but not in intercept mode?
Jason Haar
Jason_Haar at trimble.com
Mon Nov 10 09:17:17 UTC 2014
Hi there, I've googled about for this but I think most of the squid
intercept stuff refers to 3.2 and I think things have changed since then?
I have squid-3.4.9 running with sslbump, and when I configure my browser
to use it as a proxy, it bumps the certs nicely, signing "fake"
certs/etc. I then added an iptables run to redirect outbound tcp/80 onto
port 3129 (see below) and that transparently proxies all port 80 -
great. I then went through the same exercise with sslbump, but when I
put in an iptables rule to redirect outbound tcp/443 traffic onto 3127,
it doesn't bump - it acts like a TCP forwarder instead. I get a "CONNECT
ip.add.ress:443" log record - no sign of the hostname and no bumping
http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
http_port 3129 transparent
https_port 3127 transparent ssl-bump cert=/etc/squid/squid-CA.cert
capath=/etc/ssl/certs/ generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
acl SSL_nonHTTPS_sites dstdom_regex "/etc/squid/SSL_nonHTTPS_sites.txt"
acl SSL_noIntercept_sites dstdom_regex
"/etc/squid/SSL_noIntercept_sites.txt"
ssl_bump none SSL_nonHTTPS_sites
ssl_bump none SSL_noIntercept_sites
ssl_bump server-first all
So these older search-engine pages I came across claimed this should
work with squid, but either I am missing something, or this doesn't work
in 3.4.9?
Thanks
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list