[squid-users] Using SSL bump and reverse proxy for DNS sinkhole
Antony Stone
Antony.Stone at squid.open.source.it
Sat Sep 8 09:16:23 UTC 2018
On Saturday 08 September 2018 at 11:00:41, thompsonm wrote:
> "1. a web server which will generate an SSL certificate on the fly and then
> serve HTTPS content back to the client using that certificate "
>
> Is there a way to do this? The only way I can find is to use wildcard
> certificates. But that's not what I'm trying to do.
I don't have a recipe for it, but I'd thought that since Squid can create a
certificate on demand, Apache or NGinx would be able to too.
If that's not feasible, though...
> "2. a pile of SSL certificates which you generate using your own CA at the
> same time you put the fake entries into DNS. After all, you know what
> domains you're putting into your "DNS sinkhole", so just generate an SSL
> certificate for each one as you do it, load them onto your web server, and
> there you go. "
>
> This is not really feasible because the lists are always being updated.
So? Update the certificates at the same time as DNS. It'll be a lot less work
for your web server, too, just having to use a pre-existing certificate to
service a request, rather than having to generate a certificate every time it
sees the first request for a domain.
> I could write a script or something but I think it would be better just to
> have a web server or proxy create the certificates when the client tries to
> connect.
Agreed, but just in case it's not feasible, a script to generate SSL certs
from your DNS list certainly would be.
Either way, I don't see that Squid's MITM SSL Bump facility is a solution,
because as I said previously, you have no connection to be in the middle of.
Antony.
--
All generalisations are inaccurate.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list