[squid-users] SSLBump just not working
Amos Jeffries
squid3 at treenet.co.nz
Fri Aug 5 10:54:48 UTC 2016
On 5/08/2016 2:13 p.m., JR Dalrymple wrote:
>
> For posterity's sake, here are the relevant parts of my working
> configuration:
>
> /etc/pf.conf:
> pass in proto tcp to any port 80 divert-to 127.0.0.1 port 3128
> pass in proto tcp to any port 443 divert-to 127.0.0.1 port 3129
>
> squid.conf:
> http_port 127.0.0.1:3128 intercept
> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/CA.pem
>
FYI: Since OpenBSD 4.4+ the PF divert-to rule performs their
implementation of TPROXY. So technically it is more correct to configure
"tproxy" option on the listening ports. But the "intercept" will also
work - it just makes Squid behave like a NAT instead of fully transparent.
Also, both styles can handle IPv6 as well as IPv4. That is currently
limited only by your explicit use of 127.0.0.1 in the rules and port
declarations.
Amos
More information about the squid-users
mailing list