[squid-users] SslBump Not working for transparent proxy

Joseph Jones the.tuxster at gmail.com
Fri Mar 1 13:33:03 UTC 2019


I've been trying to get SslBump work for whitelist purposes and so far have
been failing.

It's my understanding in order for SslBump to do whitelist it will need to
do a splice at step2 or step3.

Looking at my logs I see step1 matching but I never see step2. I believe
it's because of what I found in the docs.

> Rules with actions that are impossible at the current step are ignored.

What I believe I'm failing to understand is the the order SslBump steps are
happening and when I can actually use the whitelist acl to compare to the
SNI provided.

watching the logs I see the http_access request happens in the order they
appear in the file. but SslBump step1 seems to happen before any
http_access.

Since I never see step2 happen in my logs I'm not sure where it happens.
ultimately the request is rejected because of my final deny all at line 57.

I've also observed that using a non-transparent proxy. SSL and non SSL
request get evaluated at line 48 which is where I allow from my whitelist
and localnet. This seems to make sense. So he only thing I need to
understand I believe is the SSLbump steps. the order things happen in

is the final deny I have wrong? Or is my ssl_bump simply wrong?

you'll notice in my config I've commented a bunch of http_access out. I was
hoping if I made the file simpler it would be easier to troubleshoot. I
intend to put them back when I figure out my problem.

cache.log: https://pastebin.com/uZVn6f4Q
squid.conf: https://pastebin.com/D49H5rYS
squid -k parse: https://pastebin.com/F0U2SvUm

-- 
Joseph M Jones
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190301/3889a9cd/attachment.html>


More information about the squid-users mailing list