[squid-users] how to go from connect/tunnel in squid4 ->GET

L A Walsh squid-user at tlinx.org
Fri Nov 30 17:39:21 UTC 2018


On 11/29/2018 12:41 PM, Alex Rousskov wrote:
> You have not configured any ssl_bump rules. Thus, you are effectively
> not using any SslBump features. All HTTPS traffic is simply tunneled
> through without decryption/analysis.
---
	Ok....I didn't do any of that in squid 3.x when I had something
working.  I had set my proxy up to have all protos use 1 port, 
like 8080 or such.  I placed a rootCA in all of the clients
that I wanted to use the proxy.  And then...it worked for 99%
of the sites.  Some things didn't work right, and maybe these 
highlight areas of misconfiguration -- most notably, Opera and
Google sites often failed to connect.  FF-derivative Palemoon
did work with google as did explorer.  I think opera was more
up-to-date with best-practices for encryption usage.

	For sites that I needed that didn't work or for sites
I wanted to remain encrypted (bank, forexample), I'd have use
a straight through connect+tunnel.

	Where were the ssl_bump options set in 3.x.  I thought
the 'ssl-bump' keyword in the http_port options enabled the bumping.

	Did it work that way in 3.x and now just doesn't work
that way in 4.x?

	I'm wanting to know why the old setup worked (mostly)
while the 4.x version seems to be missing "basic bumping"
that you highlighted.



> Please note that you should test SslBump features using https://...
> URLs, not http://... URLs.
---
	Only started with http addresses that I new redirected
to https.


What is the 'ssl-bump' option for in the http_port statement?
It seems like it it a little confusing.

Thanks much!
-linda


More information about the squid-users mailing list