[squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

Tom Mowbray tmowbray at dalabs.com
Wed Jun 24 15:41:52 UTC 2015


Squid 3.5.5

I seem to have some confusion about how acl lists are processed in
squid.conf regarding the handling of SSL (HTTPS) traffic, attempting to use
ssl_bump directives with transparent proxy.

Based on available documentation, I believe my squid.conf is correct,
however it never seems to actually behave as expected.

I define the SSL port, as usual:

acl SSL_ports port 443

But here's where my confusion lies... Many state to place the following
line above the ssl_bump configuration lines:

http_access allow SSL_ports

However when I do this, it appears to simply stop processing any other
rules and allows ALL https traffic through the proxy (which is actually how
I'd expect a standard ACL list to operate, but then how do I actually
filter the traffic though our content-based ACL lists?).  If I put the
above line below the ssl_bump configuration options in my squid.conf, then
it appears to BUMP all, even though I've told the config to SPLICE all
https traffic, which doesn't work for our deployment.

So, does squid actually continue to process the https traffic using the
ssl_bump rules if the "http_access allow SSL_ports" line is placed above it
in the configuration?

I should note that we've been able to get filtering to work correctly when
using our configuration in NON-transparent mode, however our goal is get
this functionality working as a transparent proxy.  We're unable to load
our self-signed cert onto client machines that will be accessing the proxy,
so using the "bump" or man-in-the-middle style https filtering isn't a
viable option for us.

Any help or advice is appreciated!

Thanks,

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150624/fe000672/attachment.html>


More information about the squid-users mailing list