[squid-users] Using a Baltimore root certificate in transparent ssl proxying
Lei Wen
leiwen14 at gmail.com
Mon Apr 27 21:44:41 UTC 2020
Hi,
We were able to set up the squid in a host to container infrastructure.
That is saying the squid is installed on host, proxying traffic from the
container on the same host. With transparent proxy including SSL traffic.
Another feature we enabled is request_header_access and
request_header_replace, to spoof and modify token in HTTP headers sending
to target dstdomain.
The issue we are having right now is the certificate installed on the
container is a self signed cert, we were trying to migrate this cert to a
real trusted CA cert, or a Baltimore root cert.
The issues seems to be in the subject name of the cert. In the self signed
cert, I simply leave everything blank. In the Baltimore root cert(squid.key
and squid.crt in below squid.conf example, request through Microsoft
internal service and it is Baltimore root), even if I have the dstdomain in
squid.conf as subject name(abc.microsoft.com in below squid.conf example),
I am still getting “server certificate verification failed” error in CURL.
Is there anything I am missing or it simply doesn’t support? In my
understanding, it should has no difference with squid as root CA signer in
self signed cert?
P.S. I do notice that it is illegal for a trusted CA to issue official cert
to squid because squid itself is man-in-the-middle, so Squid can only
accept self signed cert and squid as root CA? I tried to search the email
archive but no luck.
I have such a squid.conf
acl abc dstdomain .abc.microsoft.com
request_header_access Authorization deny abc
request_header_replace Authorization Basic
whateverYourTokeisButForBasicItHasToBeBase64Encoded
request_header_access All allow all
https_port 3129 cert=/etc/squid3/squid.crt key=/etc/squid3/squid.key
ssl-bump intercept generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid3/ssl_sites.txt"
ssl_bump server-first all
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
Thanks,
Lei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200427/6034a3ba/attachment.html>
More information about the squid-users
mailing list