[squid-users] SSL bumping without faked server certificates
Stefan Kutzke
stefan.kutzke at bettermarks.com
Tue Nov 10 14:05:06 UTC 2015
Hi,
I needed to setup Squid as a transparent proxy with SSL bumping for only one single https website.
The goal was to bump https connections to this website with its offical signed SSL certificate.
As an illustration:
Website/hostname: https://abc.mydomain.com
DNS: abc.mydomain.com A 1.2.3.4
Official wildcard certificate: CN = *.mydomain.com (server.crt, server.key)
I used Squid 3.4.10 from CentOS repository and configured iptables DNAT rules for intercepting.
Squid config:
https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key>
acl MYSITE dst 1.2.3.4
ssl_bump server-first MYSITE
ssl_bump none all
Everything worked perfectly. All traffic to https://abc.mydomain.com was bumped for caching purposes,
all traffic to other https websites was simply tunneled. Squid did not need to generate faked server certificates
and clients were left untouched (no proxy settings, no self-signed CA).
Now some parts of the website are delivered by Amazon CloudFront. CloudFront has the SSL certificate installed
(same official signed certificate as mentiod above).
Additional website/hostname: https://xyz.mydomain.com
DNS: xyz.mydomain.com CNAME <distribution>.cloudfront.net
Official wildcard certificate: CN = *.mydomain.com (server.crt, server.key)
I cannot simply extend my ACL with all destination IPs used by CloudFront, because these are shared IPs and
CloudFront needs to know which domain/hostname is asked to provide the correct certificate. Usually a client
uses the SNI extension of TLS to transmit the required domain/hostname.
I have heard of the new "SSL Peek and Splice" feature in Squid 3.5 but don't get it working (Squid 3.5.9).
My assumption is that I have to use in Squid's config:
https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key>
acl MYSITE ssl:server_name .mydomain.com
ssl_bump bump MYSITE
ssl_bump splice all
This results in tunneling all https traffic, nothing will be bumped and cached. I'm a little bit confused about the
documentation:
Under the headline "Processing steps":
Step 2:
1. Get TLS clientHello info, including SNI where available.
Under the headline "Actions":
peek/stare Receive client SNI (step1), ...
Is it possible to achieve my goal with Squid in transparent mode?
In other words: Is there a way to bump https connections to destinations with shared IPs?
Best,
Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151110/c4ba2ed8/attachment.html>
More information about the squid-users
mailing list