[squid-users] Intercepted connections are not bumped

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 27 10:11:04 UTC 2023


On 23/11/23 23:05, Andrea Venturoli wrote:
> Hello.
> 
> I've got the following config:
> 
>> ...
>> http_port 8080 ssl-bump cert=/usr/local/etc/squid/proxyCA.pem 
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> https_port 3129 intercept ssl-bump 
>> cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on 
>> dynamic_cert_mem_cache_size=4MB
>> ...
>> acl step1 at_step SslBump1
>> ssl_bump splice !bumphosts
>> ssl_bump splice splicedom
>> ssl_bump peek step1
>> ssl_bump bump all
>> ...
> 
> So I've got port 8080 where proxy-aware client connect and 3129, which 
> is feeded intercepted https connection by ipfw.
> 
> Problem is: if a client connects explicitly via proxy (port 8080) it 
> gets SSLBumped; if a client simply connects to its destination https 
> port (so directed to 3129) it is tunneled.
> 
> Anything wrong in my config?


FYI, Intercepted traffic first gets interpreted as a CONNECT tunnel to 
the TCP dst-IP:port and processed by http_access to see if the client is 
allowed to make that type of connection.

To guess based on the info provided above I suspect that the 
fake-CONNECT raw-IP does not match your "bumphosts" ACL test. Causing 
that "ssl_bump splice !bumphosts" to occur.

That behaviour is why we typically recommend doing "peek" first, then 
the splice checks can be based on whatever TLS SNI value is found.


For further assistance please also show your http_access and ACL config 
lines. They will be needed for a better analysis of what is going on.




> I think it worked in the past: has anything changed in this regard with 
> Squid 6?


Changed since what version? Over time a lot of small changes can add up 
to large differences.


HTH
Amos


More information about the squid-users mailing list