Hi Amos,
El 24/08/2014 0:52, Amos Jeffries escribió:
On 24/08/2014 1:00 a.m., Nicolás wrote:
Hi,
I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP,
but I'd like to avoid cacheing HTTPS sites, and just determine whether
the requested URL is listed as denied on Squid (via 'acl dstdom_regex'
for instance), otherwise just make squid act as a proxy to the URL's
content. Is that even possible without using SSL Bump? Otherwise, could
you recommend the simplest way of achieving this?
No it is only possible with bumping. For transparent interception of
port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum,
preferrably squid-3.5 with peek-n-splice when it comes out.
If you bump and still do not want to cache for some reason the cache
access control can be used like so:
acl HTTPS proto HTTPS
cache deny HTTPS
Amos
I finally installed Squid 3.4.6 from source with --enable-ssl and
--enable-ssl-crtd options and put the corresponding configuration line
for ssl-bump:
https_port 0.0.0.0:3130 intercept ssl-bump
cert=/opt/certs/server.crt key=/opt/certs/server.key
This cert is self-signed and evidently it produces the
'sec_error_untrusted_issuer' error on the clients' browsers. Would that
warning desappear if I used a recognized CA to sign that cert that would
match the Squid box's FQDN, or is the installation of the autosigned
cert on every client's browser the only option here?
Thanks!