[squid-users] squid 4.10: ssl-bump on https_port requires tproxy/intercept which is missing in secure proxy method

Alex Rousskov rousskov at measurement-factory.com
Tue May 19 14:38:29 UTC 2020


On 5/19/20 7:15 AM, Amos Jeffries wrote:
> On 18/05/20 10:15 am, David Touzeau wrote:
>>   
>>
>> Hi we want to use squid as * * * Secure Proxy * * * using https_port
>> We have tested major browsers and it seems working good.
>>
>> To make it work, we need to deploy the proxy certificate on all browsers
>> to make the secure connection running.
>>
>> In this case, squid forward requests without decrypting them.because
>> ssl-bump is not added.
>>
>> But Adding the ssl-bump in https_port is not permitted :
>>
>> "sl-bump on https_port requires tproxy/intercept which is missing"
>>
>> why bumping is not allowed ?
>>
> 
> Because origin server and explicit proxy traffic are mutually exclusive
> syntax at the HTTP level, and use different types of SSL certificate at
> the TLS level.
> 
> A "Secure proxy" receives explicit-proxy HTTP traffic over TLS. That
> traffic gets decrypted normally on receipt by the https_port, using a
> proxy server certificate.
> 
> SSL-Bump auto-generates a server certificate to decrypt with, and
> expects origin form HTTP syntax once decrypted.
> 
> 
> HTTPS traffic as we know it (CONNECT tunnels to port 443) might still be
> sent to a secure proxy. In which case there are two layers of encryption
> nested inside each other. Decrypting the interior layer of at is not yet
> supported by Squid.


David,

    Just to avoid misunderstanding: The answer to your question is in
the last sentence of the last paragraph by Amos -- Squid lacks the code
that is necessary to do what you want. There are no fundamental reasons
it cannot be done. There have been a few requests for TLS-inside-TLS
support, but I am not aware of any actual sponsors or features on the
road map. It is a complicated project, even though each of its two
components already works today.


Cheers,

Alex.


More information about the squid-users mailing list