On 06/04/11 20:28, PaweÅ Mojski wrote:
Hi Guys;
I'm new one on the list so at the beginning I'd like to say hello to all
regular readers :)
I'm using squid (3.1.1 at this moment) in huge service and I'm wondering
about one think.
c) Can squid proxy SSL requests transparently ?
Yes. But only for one definition of "transparent": the HTTP RFC
definition.
/pedant
It will not handle NAT intercepted SSL.
I have something like this in my squid.conf file:
pl-waw1 ~ # grep transparent /etc/squid/squid.conf
http_port 10.1.1.1:8080 transparent
https_port 10.1.1.1:8443 transparent sslBump cert=/etc/squid/cert.pem
And it works very fine with DNAT redirection.
Also, please anyone explain me what is the difference in deprecated
sslBump and new one ssl-bump.
Just bug fixes. The "sslBump" in config was a typo. It was supposed to
be ssl-bump from the start.
I tried to upgrade squid, but to new sslbumping format was not working
fine.
How should I use it?
On "http_port" without the "transparent".
The ssl-bump feature takes the details from CONNECT headers and uses
them to create a certificate for the destination server (by name!) to
decrypt the SSL traffic inside the tunnel.
It does not work on https_port due to the missing name and is ignored in
older configs.
What does sometimes work there (and seems to have been for you) is the
NAT interception (aka old "transparent" flag) *if* the client browser
foolishly accepts Squids https_port certificate stating an obviously
wrong domain name.
The recent Squid releases are being a bit more strict about what they
allow. But to match that "-k parse" and the WARNING level of cache.log
is also being more informative about config changes and how to resolve them.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.6
