[squid-users] squid proxy 3.5 redhat 7.3

Madonna, A. (spir-it) A.Madonna at rechtspraak.nl
Thu Jun 1 16:09:21 UTC 2017


Hello,

Due to all the documentation on the internet, we still do not have the answer to the question or whether we can use ssl_bump https traffic to intercept https traffic using a cache_peer.

So our question is, can we use ssl_bump to intercept https traffic with a parent proxy (cache_peer).

Config example:

http_port 10.**********:8080 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dynamic_cert_mem_cache_size=4MB
http_port 127.0.0.1:8080 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dynamic_cert_mem_cache_size=4MB
https_port 127.0.0.1:8081 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1
acl step1 at_step SslBump1

ssl_bump peek step1

cache_peer ************** parent 8080 0 no-query no-netdb-exchange no-digest name=*******
never_direct allow all


squid -v squid-3.5.20-2.el7.x86_64

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-icap-client' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


kind regards,

Sandro

________________________________

Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven en de bijzondere colleges vindt u op www.rechtspraak.nl.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170601/c431b918/attachment.html>


More information about the squid-users mailing list