[squid-users] Adding an extra header to TLS connection

Jonathan Lee jonathanlee571 at gmail.com
Thu May 23 16:59:25 UTC 2024


I do use ssl bump again it requires certificates installed on the devices, and or some and a splice for the others. You must also add a url list for items that must never be intercepted like banks etc. I agree it is not an easy task, it took me years to get it to work correctly for what I needed. When it does work it works beautifully, you can cache updates and reuse them, you can use clam AV on https traffic. It’s not for everyone it will make you a wizard level 1000 if you can get it going.
Sent from my iPhone

> On May 23, 2024, at 08:49, Alex Rousskov <rousskov at measurement-factory.com> wrote:
> 
> On 2024-05-22 03:49, Robin Wood wrote:
> 
>> I'm trying to work out how to add an extra header to a TLS connection.
> 
> I assume that you want to add a header field to an HTTP request or response that is being transmitted inside a TLS connection between a TLS client (e.g., a user browser) and an HTTPS origin server.
> 
> Do you control the client that originates that TLS connection (or its OS/environment) or the origin server? If you do not, then what you want is impossible -- TLS encryption exists, in part, to prevent such traffic modifications.
> 
> If you control the client that originates that TLS connection (or its OS/environment), then you may be able to, in _some_ cases, add that header by configuring the client (or its OS/environment) to trust you as a Certificate Authority, minting your own X509 certificates, and configuring Squid to perform a "man in the middle" attack on client-server traffic, using your minted certificates. You can search for Squid SslBump to get more information about this feature, but the area is full of insurmountable difficulties and misleading advice. Avoid it if at all possible!
> 
> 
> HTH,
> 
> Alex.
> 
> 
>> I've found information on how to do it on what I think is the pre-3.5 release, but I can't find any useful information on doing it on the current version.
>> Could someone give me an example or point me at some documentation on how to do it.
>> Thanks
>> Robin
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list