Search squid archive

Re: squid + sslbump + [c-icap] + [squidclamav/havp] + clamav

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There seems to be a misconception about what sslbump can and cannot do.

sslbump can only decrypt SSL connections.
sslbump cannot decrypt all other types of traffic that use the
HTTPS port and CONNECT method.
So, for example, it cannot decrypt Skype traffic and files
containing a virus can still enter the network.

Marcus

Alessandro Baggi wrote:
Hi list, For many years I've used squid-2.7-STABLE7 for proxying, content filtering and virus scan, but it was not able to scan https traffic for viruses. Now compiling a package for my system, I've seen that in 3.1.x version there is the ssl-bump option to get https traffic treated as http traffic. 

in my squid.conf I have:

...
..
ssl_bump allow localnet
always_direct allow all
http_port 172.16.2.8:3128 ssl-bump cert:/etc/squid/cert/cert.crt key=/etc/squid/cert/key.key
My first question is, How to see if ssl-bump works? in access.log I get always CONNECT/DIRECT for HTTPS connection. This is normal or my ssl-bump config does not work?
Then my squidclamav version is 6.x and use c-icap and I've configured squid for icap as: 

    icap_enable on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_encode off
    icap_client_username_header X-Authenticated-User
    icap_preview_enable on
    icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav 
    adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav 
    adaptation_access service_resp allow all
For http connection all works fine, and always with https connection there are always CONNECT/DIRECT. 
on http://wiki.squid-cache.org/Features/SslBump I get:
Squid-in-the-middle decryption and encryption of straight *CONNECT* and transparently redirected SSL traffic, using configurable client- and server-side certificates. While decrypted, the traffic can be inspected using ICAP.
Then at this point ssl-bump must permit to squidclamav to see file (decrypted) over https?
if Yes, there is a my misconfiguration, can you point me in the right direction? (If you need my squid.conf I can post it) 

thanks in advance.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux