[squid-users] sslbump https intercepted or tproxy

Vieri rentorbuy at yahoo.com
Mon Oct 19 15:39:05 UTC 2020


Hi,

It's unclear to me if I can use TPROXY for HTTPS traffic.

If I divert traffic and use tproxy in the Linux kernel and then set this in squid:

https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem

it seems to be working fine, just as if I were to REDIRECT https traffic and then use this in Squid:

https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem

So, does anyone know if it's not recommended / not supported to use tproxy with https traffic?
I'm asking because I don't see any issues with tproxy, with the added advantage of being able to route on the gateway per source IP addr. (in intercepted mode, the source is always Squid).

Are there any reasons for which one would not use TPROXY with HTTPS?

Vieri


More information about the squid-users mailing list