[squid-users] Adding an extra header to TLS connection

Thu May 23 18:53:15 UTC 2024

On 2024-05-23 13:06, Robin Wood wrote:
> I've tried searching for Squid and sslbump and not found anything useful 
> that works with the current version, that is why I'm asking here, I was 
> hoping someone could point me at an example that would definitely work 
> with the current version of Squid.

FWIW, most of the basics are covered at
https://wiki.squid-cache.org/Features/SslPeekAndSplice

That page was written for a feature introduced in v3.5, but it is not 
specific to that Squid version.

HTH,

Alex.

>      > On May 23, 2024, at 08:49, Alex Rousskov wrote:
>      >
>      > On 2024-05-22 03:49, Robin Wood wrote:
>      >
>      >> I'm trying to work out how to add an extra header to a TLS
>     connection.
>      >
>      > I assume that you want to add a header field to an HTTP request
>     or response that is being transmitted inside a TLS connection
>     between a TLS client (e.g., a user browser) and an HTTPS origin server.
>      >
>      > Do you control the client that originates that TLS connection (or
>     its OS/environment) or the origin server? If you do not, then what
>     you want is impossible -- TLS encryption exists, in part, to prevent
>     such traffic modifications.
>      >
>      > If you control the client that originates that TLS connection (or
>     its OS/environment), then you may be able to, in _some_ cases, add
>     that header by configuring the client (or its OS/environment) to
>     trust you as a Certificate Authority, minting your own X509
>     certificates, and configuring Squid to perform a "man in the middle"
>     attack on client-server traffic, using your minted certificates. You
>     can search for Squid SslBump to get more information about this
>     feature, but the area is full of insurmountable difficulties and
>     misleading advice. Avoid it if at all possible!
>      >
>      >
>      > HTH,
>      >
>      > Alex.
>      >
>      >
>      >> I've found information on how to do it on what I think is the
>     pre-3.5 release, but I can't find any useful information on doing it
>     on the current version.
>      >> Could someone give me an example or point me at some
>     documentation on how to do it.
>      >> Thanks
>      >> Robin
>      >> _______________________________________________
>      >> squid-users mailing list
>      >> squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>      >> https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
>      >
>      > _______________________________________________
>      > squid-users mailing list
>      > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>      > https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     https://lists.squid-cache.org/listinfo/squid-users
>     <https://lists.squid-cache.org/listinfo/squid-users>
> 