[squid-users] squid module to "simulate" CONNECT setup to facilitate intercepted https
Alex Rousskov
rousskov at measurement-factory.com
Mon Nov 9 15:03:15 UTC 2015
On 11/08/2015 11:33 PM, Mark Carey wrote:
> What I am interested in is whether there is or ever was a squid module that;
>
> 1. is suitable for running in intercept mode
>
> 2. maintains a list of active https connections
>
> 3. checks the acls to see if access is permitted, to the extent
> permitted by https, so some checks would need to pass through lack of
> sufficient information
>
> 4. when a new https connection is intercepted (internally fakes the
> setup of a CONNECT tunnel)
>
> 5. if permitted and a suitable CONNECT tunnel exists shovels bits back
> and forward like a traditional non intercepted proxy
>
> 6. if not returns icmp host unreachable
>
> 7. accounts for traffic in the same way as squid would in a configured
> proxy setup
>
> Has anyone tried this? Or is the answer download the source and
> patches welcome?
AFAICT, SslBump with "peek at and then splice everything" rules will
give you most if not all of the above:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
http://bugs.squid-cache.org/show_bug.cgi?id=4340
Alex.
More information about the squid-users
mailing list