[squid-users] Add header to SSL requests to my own domain using my domains certs

Yuri Voinov yvoinov at gmail.com
Sun Feb 15 22:46:41 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



16.02.15 4:40, James Beecham пишет:
> Hi Yuri,
> 
> Thank you.
> 
> Are these HTTPS CONNECT requests coming over port 80? If not would
> I need

It depends. In different configurations uses different ports. In
transparent interception mode your absolutely need separate ports for
HTTP/HTTPS. In forwarding mode you cah use one port, but with SSL
parameters.

Transparent interception Squid generates error in cache.log if HTTP
passes over HTTPS port and vice versa. This is a bit problem in
current used versions, but it promised to fix in a future release. ;)


> to make a rule to forward 443 to another Squid port configured to
> ssl_bump?
> 
> James
> 
> On Sun, Feb 15, 2015 at 2:37 PM, Yuri Voinov <yvoinov at gmail.com>
> wrote:
> 
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
>  16.02.15 4:02, James Beecham пишет:
>>>> Hello,
>>>> 
>>>> Thank you to everyone who works on this great project! I have
>>>> been using Squid as an intercept for a while now and am very
>>>> happy.
>>>> 
>>>> I have a high level question regarding SSL_Bump.
>>>> 
>>>> My company recently switched to using SSL for our web
>>>> services, which requires me to make some changes to the way
>>>> that we use Squid.
>>>> 
>>>> I have a need to place a header value into requests coming to
>>>> our own domain (ex. https://www.myhost.com) for proper usage.
>>>> Before using SSL I was using request_header_add without any
>>>> issues and getting perfect performance. Now with SSL I still
>>>> need to get a header value into the requests to our domain.
>>>> 
>>>> I do not wish to bump/inspect all traffic over 443, I only
>>>> wish to add a header to request to my own domain. Since I am
>>>> the domain admin I have access to the certs from the CA. I
>>>> understand how acls work and am not concerned about setting
>>>> this up.
>>>> 
>>>> I would like to know what you all think about using our
>>>> domains actual certs (www.myhost.com) to bump only that
>>>> domain and add the header field that I need. Will this allow
>>>> me to modify the header without the client knowing or their
>>>> browser telling them about man in the middle? My knowledge of
>>>> SSL/TLS is low but growing everyday.
>>>> 
>>>> Thank you for your attention and please ask more questions if
>>>> my situation is not clear.'
>>>> 
>>>> James
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ squid-users
>>>> mailing list squid-users at lists.squid-cache.org 
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>> 
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU4SHRAAoJENNXIZxhPexGjcQH/AwTPjGd5OLW9yEz82AKPjkm
mXVvdZymFYjB63jH485jaSilgbZLMKbV7MoEPf1qy/AZ3UlhqxKwyneLh0a2WhgK
kzmKGzrc3O+KkNliGWKxRnnShEJHXQYf6YgO+vq7qsAjS/QIBd4yEkvw4Kmt2QTi
2ooRJiSRMjh+69jzKL4LopRJq+fGzdw9NgiRXU9/G3l8LJy0szINjyplHm08rZTq
9IiQumwJSdoSPFOUBP0/lcDaZo74QUEwhXv0+igST8Dki5wcT0Qu0GCL0faw2RN6
W912Qfe/pUtWCo+sVsro8kDQhGdvwGObICeH3GgeK98mQ3WkKOYvlhODQHbYYlk=
=4Gjy
-----END PGP SIGNATURE-----


More information about the squid-users mailing list