[squid-users] Squid ssl_bump splice configuration

Ben Goz ben.goz87 at gmail.com
Mon Aug 28 10:54:51 UTC 2023


ב"ה

I'm using squid version:
nativ at arachimprodsrv3:/usr/local/squid/etc$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 6.1-VCS
Service Name: squid

This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options:
 '--with-large-files' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'
'--enable-icap-client' '--enable-linux-netfilter' '--disable-ident-lookups'

Configured with ssl_bump and tproxy:
http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 tproxy
https_port 0.0.0.0:3130 tproxy ssl-bump \
  cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=ALL,NO_SSLv3 sslflags=NO_DEFAULT_CA

And the following configurations:
acl NoSSLInterceptRegexp_always ssl::server_name "splice.list"
always_direct allow all
on_unsupported_protocol tunnel
acl DiscoverSNIHost at_step SslBump1
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

the content of the file splice.list:
.prog.co.il
prog.co.il
www.prog.co.il
.shipuzim.info

The tproxy redirections works fine with squid server but unfortunately the
urls in splice.list bumped although they should be spliced as seen in the
access log:

1693219853.255    626 192.168.28.254 TCP_MISS/200 64439 GET
https://www.prog.co.il/ - HIER_DIRECT/172.67.196.36 text/html

And I see in the browser's certificate viewer my squid self signed
certificate.

What am I missing here?

Thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230828/f35905fa/attachment.htm>


More information about the squid-users mailing list