[squid-users] Squid 4.4 https_port and ssl-bump : Fatal bungled line

ben benml ben.maling42 at gmail.com
Tue Jun 2 10:02:45 UTC 2020


Hello,

Thank you for your answer. And sorry for my late reply .. .busy on multiple
stuff... you know what it is ;)

I'm totally agree that using https is the best way to secure the
authentication.

But, in case, ssl-bump is mandatory what you be the best (or the less
worst) options to secure authentification (or at least the most possibile
secured authent) ?

Thank you in advance.

Regards,



Le mer. 27 mai 2020 à 02:08, Ronan Lucio <ronanlucio at gmail.com> a écrit :

> Hi Ben,
>
> I made working just using https_port (without ssl-bump).
>
> I think it's a good way to secure squid authentication.
> You can also use some tool (like certbot) to generate and
> automatically renew certificates, so you can work with a short period
> expiration time.
>
> Hope that helps,
> Ronan
>
> On Tue, May 26, 2020 at 12:10 AM ben benml <ben.maling42 at gmail.com> wrote:
> >
> > Hello,
> >
> > Thank you for your prompt and precise answer.
> >
> > Well I'm permit myself another question, sorry. If you have an opinion
> about securing the authentification without https_port :
> > With a FreeIPA central users directory, what could be the best way to
> secure/protect the  authentication process, the login/password.
> > Or more generally what could be the best options to secure the
> login/password with only the http_port. So no directly encrypted traffic.
> >
> > I was assuming https connection could secure the authentication process
> .. but if ssl-dump  is really wanted, so I need another options to secure
> the login/password.
> >
> > Did you see my point / what I'm trying to talk about ?
> >
> > Thank you in advance.
> >
> > Regards,
> >
> >
> > Le lun. 25 mai 2020 à 12:26, Amos Jeffries <squid3 at treenet.co.nz> a
> écrit :
> >>
> >> On 25/05/20 9:59 pm, ben benml wrote:
> >> > Hello,
> >> >
> >> > I'm contacting you for some help.
> >> > I need to deploy a secure proxy based on Squid.
> >> >
> >> > I try to use https_port combined with sslbump. I get an error message
> >> > about a bungled line.
> >> >
> >> > The reasons I want to do this :
> >> > - secure connection between the client browser and the proxy server,
> so
> >> > using https_port to do it. encrypted  traffic in TLS between the
> client
> >> > and the server.
> >>
> >> Fine. Simply using https_port does that.
> >>
> >> > - secure login connection. So I need to use https_port to do this.
> >>
> >> Fine. Simply using https_port does that.
> >>
> >> > - Do ssl inspection of the traffic goeing through the proxy
> >>
> >> Squid does not yet support SSL-Bump decrypt of traffic already being
> >> decrypted for the secure proxy.
> >>
> >>
> >> Please see
> >> <
> http://lists.squid-cache.org/pipermail/squid-users/2020-May/022120.html>
> if
> >> you want details.
> >>
> >> Amos
> >> _______________________________________________
> >> squid-users mailing list
> >> squid-users at lists.squid-cache.org
> >> http://lists.squid-cache.org/listinfo/squid-users
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200602/1f77df78/attachment.html>


More information about the squid-users mailing list