[squid-users] Certificate error using using squid with tproxy configuration
Alex Rousskov
rousskov at measurement-factory.com
Thu Jun 15 14:39:29 UTC 2023
On 6/15/23 09:27, Ben Goz wrote:
> The https interception guide in this link:
> https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#squid-configuration-file
>
> is misleading
I agree. That page should not use the word "intercept" when talking
about HTTP CONNECT inspection and bumping -- CONNECT requests are not
(normally) intercepted. Pull requests improving documentation welcome!
> as it uses http_port for ssl-bump and not https_port.
Both directives support SslBump, but each works with a different kind of
traffic.
Alex.
> בתאריך יום ה׳, 15 ביוני 2023 ב-16:08 מאת Alex Rousskov
> <rousskov at measurement-factory.com
> <mailto:rousskov at measurement-factory.com>>:
>
> On 6/15/23 07:31, Ben Goz wrote:
>
> > the tproxy configuration works perfectly using http without ssl,
> > But using ssl I'm getting in browser ssl error
> "ERR_SSL_PROTOCOL_ERROR"
>
>
> > http_port 0.0.0.0:3130 <http://0.0.0.0:3130> tproxy ...
>
> This http_port is for plain text HTTP interception. The configuration
> needs an https_port (note the "s") dedicated to TLS interception
> instead.
>
>
> > TPROXY tcp -- anywhere anywhere tcp
> > dpt:https TPROXY redirect 0.0.0.0:3130 <http://0.0.0.0:3130> mark
> 0x1/0x1
>
> The above rule should redirect traffic to that https_port.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>
>
More information about the squid-users
mailing list