I know this question has been asked on this forum in the recent past. But I could not find any responses that helped my situation. So here goes. Some context: We are an "in the cloud" web-filtering service and have been using Squid very successfully for over a year now. The way we work is by having our users point to a DNS server. The DNS server "selectively" redirects to our squid proxy. For instance, google.com and youtube.com would be redirected to our Squid proxy (where we would perform traffic inspection). Not being aware of transparent interception at the time of product development, we implemented transparent HTTP and HTTPS interception. Squid was modified to have the same port handle both intercepted and regularly proxied traffic. Setup: Our squid instance is based in the Amazon cloud (base OS is Linux). The typical customer is a mid-large network behind a NAT that sends us all of their DNS queries. Some of these DNS queries get translated to HTTP/HTTPS traffic that then hits squid. The destination website(s) will think of Amazon as being the source of the traffic. The Problem Statement: Due to customer demand, we need to use the SSL Bump feature. As of now, I have no problems getting Dynamic SSL Certificate generating to work in regular proxy (non intercepted/transparent) mode. But I have run into issues while getting this to work in transparent/intercepted mode. Squid installation details: ./configure --enable-ssl --enable-ssl-crtd --enable-linux-netfilter relavent squid.conf parameters: http_access allow all always_direct allow all ssl_bump server-first all (I have also tried ssl_bump allow all) sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5 http_port 80 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/mycert.pem http_port 443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/mycert.pem When I send traffic that I expect be be intercepted to Squid, I get the following errors in the log file (and a TCP RST from squid): ERROR: No forward-proxy ports configured NF getsockopt(SO_ORIGINAL_DST) failed on local=10.174.14.75:80 remote=107.3.142.99:60377 FD 10 flags=33: (92) Protocol not available I know I am missing something pretty simple here. Any help would be hugely appreciated! Thanks, Bharath
