Hi everyone,
I’d like some advice regarding the using SSL Bump functionality with
Squid, and ask some questions regarding whether I correctly understand
what SSL Bump is designed to do. First, however, I’d like describe
what I’m looking to do so you have some background.
At the moment, we have an older version of Squid which is working very
well as a Reverse Proxy for a number of sites in this configuration;
+------------------+
| |
| |
Browser ----- HTTPS (SSL) Connection -----------+ +--------- HTTP
Connection ----- Web Server
| | | |
| A B |
| |
+------------------+
Squid Reverse Proxy
Currently, we offload the SSL at the external interface of the Reverse
Proxy (as above (A)), so the Web browser connects to Squid and that's
where the SSL connection ends, for the rest of the journey to the web
server, the traffic is unencrypted (B). This works for a fair
proportion of our sites and works well. However, some of our web
based software is not coded very well and the requires an HTTPS
connection directly to the Web server.
Now, at the moment, this functionality is covered by a Microsoft TMG
instance which uses what they call 'SSL Bridging'. For a number of
reasons, we now want to upgrade the Squid Reverse Proxy to 3.4 and
decommission the Microsoft TMG server, so my first question is this;
Does the SSL Bump functionality in Squid 3.4 replicate the SSL
Bridging process i.e. The client sends an encrypted request, Squid
then decrypts the request (A), encrypts it again (B), and forwards it
to the Web Server. The Web server returns the encrypted object to the
Squid server, decrypts the object (B), encrypts it again (A), and
sends it to the client. This is shown below;
+------------------+
| |
| |
Browser ----- HTTPS (SSL) Connection -----------+ +--------- HTTPS
(SSL) Connection ----- Web Server
| | | |
| A B |
| |
+------------------+
Squid Reverse Proxy
Firstly, I'd just like to confirm that the functionality in SSL Bump
works as above and then I can decide how to go forward. I am aware of
the ethical considerations of using this method and that effectively
it is just a 'managed' man-in-the-middle attack, but I can't really
think of any other way to get this to work without it.
Thanks everyone in advance, any help is appreciated.
John
