On 09/09/2010 02:06 PM, Amos Jeffries wrote:
> On 09/09/10 23:05, Guillaume CHAUVEL wrote:
>>> Hi,
>>>
>>> I want to enable SSL bumping with Squid.
>>> This function is disabled in Debian version of Squid (Lenny,
>>> Lenny-backports and Squeeze), so I decided to compile Squid from
>>> source.
>>>
>>> Squid version: 3.1.8
>>>
>>> ./configure --prefix=/usr/local/squid \
>>> --enable-inline \
>>> --enable-async-io=8 \
>>> --enable-storeio="ufs,aufs,diskd" \
>>> --enable-removal-policies="lru,heap" \
>>> --enable-delay-pools \
>>> --enable-cache-digests \
>>> --enable-icap-client \
>>> --enable-follow-x-forwarded-for \
>>> --enable-auth="basic,digest,ntlm,negotiate" \
>>>
>> .......
>>>
>>> /usr/local/squid/sbin/squid output:
>>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>>> squid.conf:1155 unrecognized: 'https_port'
>>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>>> squid.conf:1156 unrecognized: 'ssl_bump'
>>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>>> squid.conf:1537 unrecognized: 'ssl_bump'
>>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>>> squid.conf:5625 unrecognized: 'sslproxy_cert_error'
>>> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
>>> squid.conf:5626 unrecognized: 'sslproxy_flags'
>>>
>>> What am I doing wrong?
>>
>> ./configure --help | grep ssl
>> --enable-ssl Enable ssl gatewaying support using OpenSSL
>> --with-openssl{=PATH} Compile with the OpenSSL libraries. The
>> path to the
>>
>> It looks like '--with-ssl' doesn't work, you should use '--enable-ssl'
>>
>> also since 3.1.7 "sslBump" is deprecated, you should move to
>> "ssl-bump" :
>> http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_7.html
>> have a look at ./src/squid.conf.documented line 1045
>>
>>
>>> http_port 8080
>>> https_port 8443 sslBump cert=/etc/ssl/certs/certificate.pem
>>
>> I am quite new to squid but I don't think this is going to do what you
>> want judging by your config file without any "cache_peer"
>> https_port as stated in the documentation is really only useful when
>> running squid as an accelerator. you should use
>> "http_port 8080 ssl-bump cert=/etc/ssl/certs/certificate.pem" instead
>> and remove https_port
>
> Yes, https_port is a port for receiving "native" SSL connections.
>
> The ssl-bump feature is for converting CONNECT tunnel requests into
> normal HTTP traffic. CONNECT is a weird kind of
> HTTP-over-SSL-over-HTTP multiple-wrapped request thing. ssl-bump
> strips away the outer two layers of wrapping. It only works when
> browsers etc which are configured to send their HTTPS via an HTTP proxy.
>
> Amos
It seems to be working now :)
Guillaume, thanks for pointing me to my wrong ./configure option!
Amos, thanks for the explanation.
- Stephan
