[squid-users] Header Detection Post SSL Bump in Squid 4.10

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 16 06:02:34 UTC 2020


On 16/04/20 5:15 pm, shubham jain wrote:
> Hi,
> 
> *Context*:
> I want to use Squid as a forward proxy, where I want to
> 1) send all the Image requests directly, presumably using request header
> 'accept'
> 2) send all other requests through a cache peer Proxy service
> 
> The req_header directive is working fine for HTTP Requests, but not for
> HTTPS.
> 
> I've done the setup for SSL Bump in here and that's giving decrypted
> HTTPS requests in the access.log as well.
> 
> *Issue:*
> The req_header directive is not working on the decrypted HTTPS requests.
> 
> *Squid.conf*
> 
> # SSL Bump Port
> http_port 127.0.0.1:3128 <http://127.0.0.1:3128> ssl-bump
> cert=/usr/local/etc/cert/example.com.cert
> key=/usr/local/etc/cert/example.com.private
> generate-host-certificates=on version=1 options=SINGLE_DH_USE  
> 
> # SSL Bump Config
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> acl imageIsBlocked req_header accept -i image
> 
> ssl_bump terminate imageIsBlocked    #terminate is just for testing, to
> be replaced by splice
> ssl_bump bump all


Do the CONNECT tunnels Accept headers contain "image" ?

ssl_bump decides what to do during the TLS handshake process. For your
setup that is only the CONNECT requests.

Once decrypted HTTPS is just HTTP with https:// URLs schemes. It is
controlled by http_access and does not pass through ssl_bump rules again.


Amos


More information about the squid-users mailing list