On 06/21/2012 10:34 AM, A G wrote: > I am trying to set up squid as a transparent ssl mitm proxy. You will need to run trunk with a BumpSslServerFirs patch recently posted on squid-dev. The patch implements the following feature that is essential for bumping transparent SSL connections in production: http://wiki.squid-cache.org/Features/BumpSslServerFirst In my response, I will assume that you are doing the above. > 1. http_port intercept means squid will place its own ip in the > packet sent to the destination. Is this correct? Yes, although the option means more than that, of course. > 2. http_port tproxy means squid will preserve the client's ip in the > packet sent to the destination, is this correct? Yes, although the option means more than that, of course. > 3. Does ssl bump work only with CONNECT messages? ie clients must have > their browser set to use squid as a proxy. No. It works for both CONNECT and intercepted transactions. > But http://wiki.squid-cache.org/Features/SslBump also says it can mitm > transparently redirected SSL traffic. So ssl bump works in > 'transparent/intercept' mode; Yes, it does, but without BumpSslServerFirst, bumping intercepted connections generates too many warnings for production use. > 4. What is the > point of using http_port (xyz) ssl-bump if port xyz cannot receive ssl > traffic? Wouldn't ssl-bump ONLY be used with https_port, not http_port? Use http_port for bumping CONNECT requests. Use https_port for bumping intercepted SSL connections. > 5. > After all this, is it possible to use tproxy with ssl-bump? Yes. > That is, do > SSL man in the middle whilst preserving the client's IP address? Yes. HTH, Alex.