[squid-users] ssl-bump and accel
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 6 00:14:58 UTC 2016
On 6/01/2016 8:30 a.m., Nir Krakowski wrote:
> how can you combine accel proxy with ssl-bump ?
>
To use accel mode the proxy needs to be an origin for the domain and
thus have access to the servers TLS private keys. If you have those keys
just use a normal https_port (note the 's') to receive the traffic - no
bumping (TLS MITM) required.
> the problem: intercept mode looks at IP addresses
>
> requested solution: we need to look at the SNI info..
You dont seem to understand intercept mode. It is TCP level MITM.
All the proxy receives from TCP is IP address and port details. So those
are considered *first*.
Only if those details are acceptible (in the form of "CONNECT raw-IP
HTTP/1.1") does Squid go on to do the additional complexity of MITM at
the TLS level.
Amos
More information about the squid-users
mailing list