Thanks Alex and Amos, I'll have a look at those points! ---------------------------------------- > Date: Fri, 22 Jun 2012 10:27:35 -0600 > From: rousskov@xxxxxxxxxxxxxxxxxxxxxxx > To: utopian201@xxxxxxxxxxx > CC: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Capabilities of Squid as SSL MITM > > On 06/21/2012 10:34 AM, A G wrote: > > > I am trying to set up squid as a transparent ssl mitm proxy. > > You will need to run trunk with a BumpSslServerFirs patch recently > posted on squid-dev. The patch implements the following feature that is > essential for bumping transparent SSL connections in production: > http://wiki.squid-cache.org/Features/BumpSslServerFirst > > In my response, I will assume that you are doing the above. > > > > 1. http_port intercept means squid will place its own ip in the > > packet sent to the destination. Is this correct? > > Yes, although the option means more than that, of course. > > > > > 2. http_port tproxy means squid will preserve the client's ip in the > > packet sent to the destination, is this correct? > > Yes, although the option means more than that, of course. > > > > > 3. Does ssl bump work only with CONNECT messages? ie clients must have > > their browser set to use squid as a proxy. > > No. It works for both CONNECT and intercepted transactions. > > > > But http://wiki.squid-cache.org/Features/SslBump also says it can mitm > > transparently redirected SSL traffic. So ssl bump works in > > 'transparent/intercept' mode; > > Yes, it does, but without BumpSslServerFirst, bumping intercepted > connections generates too many warnings for production use. > > > > 4. What is the > > point of using http_port (xyz) ssl-bump if port xyz cannot receive ssl > > traffic? Wouldn't ssl-bump ONLY be used with https_port, not http_port? > > Use http_port for bumping CONNECT requests. > Use https_port for bumping intercepted SSL connections. > > > > 5. > > After all this, is it possible to use tproxy with ssl-bump? > > Yes. > > > > That is, do > > SSL man in the middle whilst preserving the client's IP address? > > Yes. > > > HTH, > > Alex.
