On 3/12/2011 1:02 a.m., Maret Ludovic wrote:
Hi there !
I want to configure a transparent proxy for HTTP and SSL. HTTP works
pretty well but i'm stuck with SSL even if i use the ssl-bump feature.
Right now, it almost works if i use 2 differents ports for the http_port
& https_port :
http_port 3129 transparent
https_port 3130 ssl-bump cert=/etc/squid/ssl_cert/partproxy01-test.pem
key=/etc/squid/ssl_cert/private/partproxy01-key-test.pem
HTTP is ok, i get the warning about a probable man-in-the-middle attack
when i tried to access a SSL web site. I did just add an exception. And
i get an error : Invalid URL
In the logs, i found :
1322820580.454 0 10.194.2.63 NONE/400 3625 GET /pki – NONE/- text/html
When i tried to access https://www.switch.ch/pki
Apparently, squid cut the URL and remove the host.domain part…
No, Squid is not doing anything, that is the problem.
This is how HTTP client->origin request URLs look. The client agent
thinks it is talking directly to the origin, so it uses the partal URL
format. This is part of what the "transparent" or "intercept" flags make
Squid know to look out for and fix up.
When i tried to use CONNECT method and ssl-bump on http_port. I get an
error in the browser “ssl_error_rx_record_too_long” or
“ERR_SSL_PROTOCOL_ERROR”
Any clues ?
Somewhere in the OpenSSL documentation lays the meaning of those error
messages.
Amos
