On 24/08/2014 9:32 p.m., Nicolás wrote: > Hi Amos, > > El 24/08/2014 0:52, Amos Jeffries escribió: >> On 24/08/2014 1:00 a.m., Nicolás wrote: >>> Hi, >>> >>> I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP, >>> but I'd like to avoid cacheing HTTPS sites, and just determine whether >>> the requested URL is listed as denied on Squid (via 'acl dstdom_regex' >>> for instance), otherwise just make squid act as a proxy to the URL's >>> content. Is that even possible without using SSL Bump? Otherwise, could >>> you recommend the simplest way of achieving this? >>> >> No it is only possible with bumping. For transparent interception of >> port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum, >> preferrably squid-3.5 with peek-n-splice when it comes out. >> >> If you bump and still do not want to cache for some reason the cache >> access control can be used like so: >> >> acl HTTPS proto HTTPS >> cache deny HTTPS >> >> >> Amos >> > > I finally installed Squid 3.4.6 from source with --enable-ssl and > --enable-ssl-crtd options and put the corresponding configuration line > for ssl-bump: > > https_port 0.0.0.0:3130 intercept ssl-bump > cert=/opt/certs/server.crt key=/opt/certs/server.key > > This cert is self-signed and evidently it produces the > 'sec_error_untrusted_issuer' error on the clients' browsers. Would that > warning desappear if I used a recognized CA to sign that cert that would > match the Squid box's FQDN, or is the installation of the autosigned > cert on every client's browser the only option here? If the browser does not trust the signing CA it will warn. Amos
