[squid-users] Squid reverse proxy with SSL bump
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 8 07:33:04 UTC 2015
On 8/09/2015 6:45 p.m., joseph jose wrote:
> Hi,
>
> I have tested squid reverse proxy mode and squid SSL bump both were
> successful and working fine.
>
> Is it possible to configure a squid reverse proxy with SSL-bump enabled?
The concept does not make any sense.
* accel / revers-proxy traffic is destined to and terminated by the proxy.
* ssl-bump is a pile of trickery and hacks to intercept traffic
destined to somewhere else.
What is a web server that MITM's traffic destined to itself? broken.
Squid does (and always has done) normal regular HTTPS reverse-proxy:
https_port 443 accel cert=...
But there is not yet support for SNI. So virtual hosted HTTPS is not
supported. We are still stuck with the old one IP:port per domain limit
for a while yet.
>
> I tried configuring a squid instance in reverse proxy to bump specific
> domain traffic using following config line(clubbing both reverse proxy and
> SSL bump config directives)
>
> acl ssl_bumping dstdomain testsquid.com
> ssl_bump server-first ssl_bumping
> sslproxy_cert_error allow ssl_bumping
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 4MB
>
> http_port 3128 accel defaultsite=testsquid.com vhost vport ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<cert>
> cache_peer <webserverIP> parent <port> 0 no-query originserver
> name=squidtest
>
> But squid is logging CONNECT error:method-not-allowed. Am i missing
> something in my config?.
>
> Does squid works in reverse proxy mode with SSL bump enabled?
No.
Amos
More information about the squid-users
mailing list