[squid-users] Peek and Splice for websites using HSTS

[Ashish Patil]

Hello,

I am trying to set up Peek and Splice using Squid 3.5.3. I'm facing issues
setting it up for website that have HSTS enabled, like google.com and
twitter.com.

My squid.conf is:
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl/myCA.pem
acl step3 at_step SslBump3
acl sslBumpAllowedDstDomain dstdomain google.co.in
ssl_bump peek step3 all
ssl_bump splice sslBumpAllowedDstDomain
ssl_bump bump all


The output of access.log is:
1428674512.281    511 192.168.3.31 TCP_MISS/301 634 GET http://google.co.in/
- ORIGINAL_DST/173.194.117.23 text/html
1428674512.703    348 192.168.3.31 TCP_MISS/302 1106 GET
http://www.google.co.in/ - ORIGINAL_DST/173.194.117.24 text/html
1428674512.706      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443
- HIER_NONE/- -
1428674512.711      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443
- HIER_NONE/- -
1428674515.883      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
- HIER_NONE/- -
1428674515.956      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
- HIER_NONE/- -
1428674515.965      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
- HIER_NONE/- -
1428674516.006      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
- HIER_NONE/- -
1428674526.310      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
- HIER_NONE/- -
1428674526.327      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
- HIER_NONE/- -
1428674526.335      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
- HIER_NONE/- -
1428674526.411      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
- HIER_NONE/- -


Any input would be welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150410/2fd15965/attachment.html>