Hi Eliezer > what iptables rules have you used? > also you better use squid 3.2 for ssl-bump. iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 81 -j REDIRECT --to-port 3128 iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 443 > also you better use squid 3.2 for ssl-bump. K, will try that. Stay tuned :-) > take a look at: > http://wiki.squid-cache.org/Features/SslBump > and > http://wiki.squid-cache.org/Features/DynamicSslCert I've read through them for at least 10 times (I'm not kidding) and tried various different configurations without finding any solution. Maybe I simply missed something :-/ Do I need to compile squid with '--enable-ssl-crtd' or is '--enable-ssl' enough? Regards, Heinrich ---------------------------------------- > Date: Wed, 31 Oct 2012 17:40:38 +0200 > From: eliezer@xxxxxxxxxxxx > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: Squid and SSL interception (ssl-bump) > > On 10/31/2012 5:33 PM, Heinrich Hirtzel wrote: > > Hello > > > > For a school project I'm trying to intercept SSL connections by using Squid (client -> squid (transparent) -> server). > > I'm running Squid 3.1.20 on Ubuntu server 12.10 (64 bit) using the following configuration: > > > > ************************************* > > http_port 10.0.1.1.:3128 intercept > > https_port 10.0.1.1.:443 ssl-bump cert=/user/local/squid3/ssl_cert/myCA.pm > If i remeber right you shoudl use http and not https > > > > > acl our_networks src 10.0.1.0/24 > > http_access allow our_networks > > forwarded_for off > > ssl_bump allow all > > sslproxy_cert_error allow all > > sslproxy_flags DONT_VERIFY_PEER > > ************************************* > what iptables rules have you used? > also you better use squid 3.2 for ssl-bump. > > what were you reading about ssl-bump? > > take a look at: > http://wiki.squid-cache.org/Features/SslBump > and > http://wiki.squid-cache.org/Features/DynamicSslCert > > Regards, > Eliezer > > -- > Eliezer Croitoru > https://www1.ngtech.co.il > IT consulting for Nonprofit organizations > eliezer <at> ngtech.co.il
