Search squid archive

Re: Basic questions on transparent/intercept proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/28/2013 05:21 PM, Amos Jeffries wrote:
> On 29/07/2013 2:30 a.m., Eliezer Croitoru wrote:
>> On 07/28/2013 03:37 PM, csn233 wrote:
>>> To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
>>> to record the CONNECT traffic in access.log just like a normal forward
>>> proxy without decrypting anything?
>>>
>>> Is this any different with TPROXY?
>>>
>> Indeed SSL-bump is a must..
>> You will be able to record the CONNECT traffic when using:
>> "sslbump deny all" like acl.

   ssl_bump none all

You will not be decrypting or bumping any traffic with this, but you
will be using a little bit of code introduced by the SslBump-related
projects.


> Beyond the minor fact that there should be *no* CONNECT traffic on
> intercepted port 80 or port 443 because CONNECT is a client-to-proxy
> request method - which should only be seen on port 3128 or similar HTTP
> proxy ports.

To be more precise, there are actually a few CONNECT requests inside
real-world intercepted traffic, but a non-bumping Squid which assumes
that the traffic is SSL will not see any of those CONNECTS as it will
blindly forward them to where they were going.


> The current releases of Squid (3.3.8 and 3.4.0.1) should take
> intercepted port-443 traffic and relay it untouched if there is no
> decrypting done. They may convert it into a CONNECT if the traffic needs
> relaying to a cache_peer, but otherwise it is just tunneled along to the
> original destination server.

Please note that tunneling intercepted but not bumped traffic through
cache_peers (via CONNECT) is officially supported only in v3.4 (added as
trunk r12905 dated 2013-06-10).


HTH,

Alex.





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux