[squid-users] Configuring SSL Bump on CONNECT, but no SSL Bump on Transparent

Graham Wharton graham at gwharton.me.uk
Sat Sep 4 11:47:33 UTC 2021


My apologies, that config snippet was not correct.

Besides I've managed to configure it using localport acl's to detect which port the request came in on and bump accordingly. Not sure if this is the best way.

Thanks for listening.

For info for anyone else interested

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl connectport localport 3128
http_port 10.0.0.36:3129 intercept
https_port 10.0.0.36:3130 intercept ssl-bump \
        cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 10.0.0.36:3128 ssl-bump \
        cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
http_access allow localnet
http_access allow localhost
http_access deny all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump bump connectport
ssl_bump peek all
ssl_bump splice all

Cheers

Graham


From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Graham Wharton
Sent: 04 September 2021 11:44
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Configuring SSL Bump on CONNECT, but no SSL Bump on Transparent

Hi all,

Squid 3.5.20

I am attempting to configure the following

Port 3128 = Accepts CONNECT requests with SSL Bump for all sites
Port 3129 = HTTP port for transparent proxy
Port 3130 = HTTPS port for transparent proxy - NO SSL Bump, all sites should always TUNNEL

Is the above config possible?

The relevant sections of my config are

#TANSPARENT
http_port 10.0.0.36:3129
https_port 10.0.0.36:3130

#CONNECT
http_port 10.0.0.36:3128 ssl-bump \
        cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

#Permissions
http_access allow localnet
http_access allow localhost
http_access deny all

##Steps
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

#Bump Rules
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all

All appears to work correctly, apart from transparent connections for HTTPS. These are getting bumped.

According to the logs

2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(218) doAccept: New connection on FD 30
2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(293) acceptNext: connection on local=10.0.0.36:3130 remote=[::] FD 30 flags=41
2021/09/04 10:38:54.129 kid1| 33,2| client_side.cc(3920) httpsSslBumpAccessCheckDone: sslBump needed for local=142.250.187.196:443 remote=10.0.1.254:51928 FD 12 flags=33 method 3

Looking at the code, it would appear that because the destination is ALLOWED for the ssl_bump acl, the connection is automatically upgraded to ssl_bump by the httpsSslBumpAccessCheckDone function. But this isn't what I want. I want ssl_bump to be completely disabled on my transparent proxy, I only wan to bump connections for connections that have explicitly set their proxy.

Any suggestions on how to overcome this, apart from running two copies of squid.

Thanks in advance

Graham Wharton


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210904/c759e527/attachment-0001.htm>


More information about the squid-users mailing list