...
>Note the need for separate forward-proxy and intercept-proxy listening
ports in Squid is a MUST.
>
>Forward-proxy is the better mode of operation, if you have clients already
using it leave them. Add the interception as a secondary http(s)_port for
the >clients that cannot be configured with the proxy.
>Amos
This issue with ssl_bump has really been confusing me! If I have the line
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=bla.crt key=bla.key intercept
Then squid will not start unless I also have an additional config line like
http_port 3129
What does specifying two http_port mean? How do I configure my iptables and
dansguardian to use these ports? Currently, DG is configured with
"proxyport = 3128" Do I change that, add to it or what?
Without ssl_bump my router's NAT rules are
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
In English:
When they are output from a squid process, accept packets that are destined
for ports 80 or 3128,
Before other routing , redirect packets destined for port 80 to port 8080
How must I change this when I am using ssl_bump?
Thanks!
