[squid-users] Transparent HTTPS Squid proxy with upstream parent

Michael Ludvig michael.ludvig at enterpriseit.co.nz
Tue Nov 24 04:49:11 UTC 2015


Hi Amos

On 09/11/15 12:55, Amos Jeffries wrote:
> On 9/11/2015 11:55 a.m., Michael Ludvig wrote:
>> [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS ->
>> [target]
>>
>> Can you provide some config hints for both proxies please? The
>> SSL-related bits only as that's the unclear part.
> my_proxy:
>   cache_peer example.com 3129 0 ssl
>
> upstream_proxy:
>   https_port 3129 cert=/path/to/cert

This works well when the [client] has $https_proxy set to point to 
[my_proxy] - it then talks SSL to [upstream_proxy] and things work nicely.

However with transparent proxy / sslbump on [my_proxy] I keep getting:

     Failed to establish a secure connection to 10.205.28.183 (=this is 
[upstream_proxy])
     The system returned:
     [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
     Certificate does not match domainname: /C=NZ/O=Example 
CA/CN=parent.example.com

On [my_proxy] I've got:
https_port 8443 intercept ssl-bump generate-host-certificates=on \
     dynamic_cert_mem_cache_size=4MB cert=/etc/squid/intermediate.pem
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

cache_peer parent.example.com parent 3129 0 no-query ssl \
     sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
sslproxy_flags DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER

On the [upstream_proxy] I've got:
https_port 3129 cert=/etc/squid/parent.example.com.pem
visible_hostname parent.example.com

I've got the certificates issued to parent.example.com and the record 
for parent.example.com in /etc/hosts on [my_proxy]

What am I doing wrong / how to make it work for transparent ssl proxying?

Thanks!

Michael






More information about the squid-users mailing list