[squid-users] Sslbump Not working for transparent proxy

Joseph Jones the.tuxster at gmail.com
Fri Mar 1 19:54:29 UTC 2019


I've been trying to get SslBump work for whitelist purposes and so far
have been failing.

It's my understanding in order for SslBump to do whitelist it will
need to do a splice at step2 or step3.

Looking at my logs I see step1 matching but I never see step2. I
believe it's because of what I found in the docs.

> Rules with actions that are impossible at the current step are ignored.

What I believe I'm failing to understand is the the order SslBump
steps are happening and when I can actually use the whitelist acl to
compare to the SNI provided.

watching the logs I see the http_access request happens in the order
they appear in the file, but SslBump step1 seems to happen before any
http_access.

Since I never see step2 happen in my logs I'm not sure where it
happens. ultimately the request is rejected because of my final deny
all at line 57.

I've also observed that using a non-transparent proxy. SSL and non SSL
request get evaluated at line 48 which is where I allow from my
whitelist and localnet. This seems to make sense. So the only thing I
need to understand I believe is the SSLbump steps.

is the final deny I have wrong? Or is my ssl_bump simply wrong? when
does the first step to happen?

you'll notice in my config I've commented a bunch of http_access out.
I was hoping if I made the file simpler it would be easier to
troubleshoot. I intend to put them back when I figure out my problem.

cache.log: https://pastebin.com/uZVn6f4Q
squid.conf: https://pastebin.com/D49H5rYS
squid -k parse: https://pastebin.com/F0U2SvUm

-- 
Joseph M Jones


More information about the squid-users mailing list