[squid-users] Transparent HTTPS Squid proxy with upstream parent
Michael Ludvig
michael.ludvig at enterpriseit.co.nz
Tue Nov 24 04:49:11 UTC 2015
Hi Amos
On 09/11/15 12:55, Amos Jeffries wrote:
> On 9/11/2015 11:55 a.m., Michael Ludvig wrote:
>> [client] -> HTTPS -> [my_proxy] -> SSL -> [upstream_proxy] -> HTTPS ->
>> [target]
>>
>> Can you provide some config hints for both proxies please? The
>> SSL-related bits only as that's the unclear part.
> my_proxy:
> cache_peer example.com 3129 0 ssl
>
> upstream_proxy:
> https_port 3129 cert=/path/to/cert
This works well when the [client] has $https_proxy set to point to
[my_proxy] - it then talks SSL to [upstream_proxy] and things work nicely.
However with transparent proxy / sslbump on [my_proxy] I keep getting:
Failed to establish a secure connection to 10.205.28.183 (=this is
[upstream_proxy])
The system returned:
[No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
Certificate does not match domainname: /C=NZ/O=Example
CA/CN=parent.example.com
On [my_proxy] I've got:
https_port 8443 intercept ssl-bump generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/intermediate.pem
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
cache_peer parent.example.com parent 3129 0 no-query ssl \
sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
sslproxy_flags DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
On the [upstream_proxy] I've got:
https_port 3129 cert=/etc/squid/parent.example.com.pem
visible_hostname parent.example.com
I've got the certificates issued to parent.example.com and the record
for parent.example.com in /etc/hosts on [my_proxy]
What am I doing wrong / how to make it work for transparent ssl proxying?
Thanks!
Michael
More information about the squid-users
mailing list