I thought ssl_bump should be defined on the http port, not the https
one. However I've not done transparent for ages so I could be wrong.
If you don't want it, why put it in the *_port directives at all?
Alex
On 12/03/13 19:00, David Touzeau wrote:
Dear
I would like to use Squid 3.3x in transparent SSL mode (in order to
build a kind of HotSpot systems.)
My issue is :
"squid force to bump all websites and change the certificate even an
ACL is created to deny bump websites."
I would like to know if it is possible to do that ?
I have set this in the squid.conf
# --------- SSL Listen Port
https_port 192.168.1.204:3130 intercept ssl-bump
cert=/etc/squid3/ssl/cacert.pem key= /etc/squid3/ssl/privkey.pem
# --------- SSL Rules
ssl_bump deny all
always_direct allow all
-A PREROUTING -p tcp -m tcp --dport 3128 -j DROP
-A PREROUTING -p tcp -m tcp --dport 3130 -j DROP
-A PREROUTING -s 192.168.1.204/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 192.168.1.204/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -s 192.168.0.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 192.168.0.4/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -m comment --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -m comment -j REDIRECT
--to-ports 3130
-A POSTROUTING -m comment -j MASQUERADE
