On 1/01/2013 12:33 p.m., Eliezer Croitoru wrote:
Hey,
From this basic snippet of the email I can tell you:
1. using DNAT is wrong anyway for intercept proxy.
2. specifically for SSL-BUMP it's ^^^ the cause of most of your problems.
Since SSL-BUMP tries to to bump server first it should be able to knwo
what server to bump while using DNAT you replace the dst IP + PORT
with the proxy IP which makes it's impossible to "bump server first".
Use either REDIRECT or TPROXY instead to allow SSL-BUMP + server fisrt.
No. DNAT and REDIRECT do the same thing and both are valid for Squid
with NAT intercept.
REDIRECT just assumes the DNAT IP is to be the machines primary IP and
works when IPs are dynamically assigned to the box.
The main problem appears to be configuring "server-first" bumping with
the directive:
ssl_bump client-first all
Amos
