[squid-users] Using SSL bump and reverse proxy for DNS sinkhole

Antony Stone Antony.Stone at squid.open.source.it
Sat Sep 8 09:16:23 UTC 2018


On Saturday 08 September 2018 at 11:00:41, thompsonm wrote:

> "1. a web server which will generate an SSL certificate on the fly and then
> serve HTTPS content back to the client using that certificate "
> 
> Is there a way to do this? The only way I can find is to use wildcard
> certificates. But that's not what I'm trying to do.

I don't have a recipe for it, but I'd thought that since Squid can create a 
certificate on demand, Apache or NGinx would be able to too.

If that's not feasible, though...

> "2. a pile of SSL certificates which you generate using your own CA at the
> same time you put the fake entries into DNS.  After all, you know what
> domains you're putting into your "DNS sinkhole", so just generate an SSL
> certificate for each one as you do it, load them onto your web server, and
> there you go. "
> 
> This is not really feasible because the lists are always being updated.

So?  Update the certificates at the same time as DNS.  It'll be a lot less work 
for your web server, too, just having to use a pre-existing certificate to 
service a request, rather than having to generate a certificate every time it 
sees the first request for a domain.

> I could write a script or something but I think it would be better just to
> have a web server or proxy create the certificates when the client tries to
> connect.

Agreed, but just in case it's not feasible, a script to generate SSL certs 
from your DNS list certainly would be.

Either way, I don't see that Squid's MITM SSL Bump facility is a solution, 
because as I said previously, you have no connection to be in the middle of.


Antony.

-- 
All generalisations are inaccurate.

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list