[squid-users] Adding an extra header to TLS connection

Robin Wood squid at digi.ninja
Thu May 23 17:06:01 UTC 2024


On Thu, 23 May 2024 at 18:00, Jonathan Lee <jonathanlee571 at gmail.com> wrote:

> I do use ssl bump again it requires certificates installed on the devices,
> and or some and a splice for the others. You must also add a url list for
> items that must never be intercepted like banks etc. I agree it is not an
> easy task, it took me years to get it to work correctly for what I needed.
> When it does work it works beautifully, you can cache updates and reuse
> them, you can use clam AV on https traffic. It’s not for everyone it will
> make you a wizard level 1000 if you can get it going.
>

Jonathan, can you give me an example of it working?

Oddly, you are replying to a message from Alex that I never received.

Alex, in answer to your questions...

I'm doing some testing against a client's site, they require a custom
header to allow my connections through their WAF. I could try to do this
manually with all my tools, but it would be easier to just have Squid do it
for me and then have the tools use Squid as their proxy. I can tell them to
not do cert checking or I can use my own CA and import it into the system
store, that is not a problem.

I've tried searching for Squid and sslbump and not found anything useful
that works with the current version, that is why I'm asking here, I was
hoping someone could point me at an example that would definitely work with
the current version of Squid.

Robin


> Sent from my iPhone
>
> > On May 23, 2024, at 08:49, Alex Rousskov <
> rousskov at measurement-factory.com> wrote:
> >
> > On 2024-05-22 03:49, Robin Wood wrote:
> >
> >> I'm trying to work out how to add an extra header to a TLS connection.
> >
> > I assume that you want to add a header field to an HTTP request or
> response that is being transmitted inside a TLS connection between a TLS
> client (e.g., a user browser) and an HTTPS origin server.
> >
> > Do you control the client that originates that TLS connection (or its
> OS/environment) or the origin server? If you do not, then what you want is
> impossible -- TLS encryption exists, in part, to prevent such traffic
> modifications.
> >
> > If you control the client that originates that TLS connection (or its
> OS/environment), then you may be able to, in _some_ cases, add that header
> by configuring the client (or its OS/environment) to trust you as a
> Certificate Authority, minting your own X509 certificates, and configuring
> Squid to perform a "man in the middle" attack on client-server traffic,
> using your minted certificates. You can search for Squid SslBump to get
> more information about this feature, but the area is full of insurmountable
> difficulties and misleading advice. Avoid it if at all possible!
> >
> >
> > HTH,
> >
> > Alex.
> >
> >
> >> I've found information on how to do it on what I think is the pre-3.5
> release, but I can't find any useful information on doing it on the current
> version.
> >> Could someone give me an example or point me at some documentation on
> how to do it.
> >> Thanks
> >> Robin
> >> _______________________________________________
> >> squid-users mailing list
> >> squid-users at lists.squid-cache.org
> >> https://lists.squid-cache.org/listinfo/squid-users
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240523/b1c26534/attachment.htm>


More information about the squid-users mailing list