[squid-users] Questions around https transparent chained proxy

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 18 06:29:00 UTC 2019 

On 18/02/19 5:04 pm, Walid A. Shaari wrote:
> Thank you again, Amos,
> 
> On Sat, 16 Feb 2019 at 17:09, Amos Jeffries wrote:
>>
>> On 16/02/19 9:18 pm, Walid A. Shaari wrote:
>>> Greetings,
>>>
>>> The end goal is enforcing an appliance(s) tls traffic to go through
>>> the corporate proxy, as I understand it (splice, not interested in
>>> decrypting)
> .... ... ...
> ------ partial squid.conf  # is that order ok----
> never_direct allow all
> ssl_bump peek all     # or should I just peek at step1
> ssl_bump splice  all

To perform a peek at step 2 needs the destination server (or peer)
connection to be using TLS/SSL.  Since you are wanting traffic to go
through a peer without TLS/SSL you will likely need to splice at step 2.

So to the question on the peek line. Yes, probably should.


> ssl_bump none all
> 

"none" action is from an old deprecated SSL-Bump design. It only has
meaning at step 1 and is equivalent to "splice" in that step.

At best it will be ignored, at worst will cause unpredictable splice or
bump operations on a per-transaction basis.

Given the environment you described earlier I suggest "terminate all" as
the fallback action if splice turns out not to be possible.



> cache_peer  upstream-proxy parent 8118 0 no-query no-digest only-proxy

Ah, apologies I thought you had just typo'd the question earlier.

The option name is actually "proxy-only".


> http_port 8080    intercept # transparent http

NP: the comment on the line above is slightly confusing.

"intercept" is for NAT interception.

"Transparent HTTP" is an entirely different thing. Which Squid does
regardless of what settings you use.


> https_port 8090 intercept ssl-bump generate-host-certificates=off
> cert=/etc/squid/ssl_certs/myCA.pem
> cafile=/etc/pki/ca-trust/source/anchors/ca.crt
> http_port 8100    #forward port
> ---- end of partial conf
> 
> Question,  What if I use 'ssl_bump none all' instead of ssl_bump
> splice all?, wouldn't I get rid for any client configuration at the
> same time https traffic will pass through to the parent proxy?

It will have no effect beyond possibly throwing up warnings in your
cache.log when mixed with peek action.


Amos

More information about the squid-users mailing list