-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/11/2014 10:17 p.m., Jason Haar wrote: > Hi there, I've googled about for this but I think most of the > squid intercept stuff refers to 3.2 and I think things have changed > since then? > > I have squid-3.4.9 running with sslbump, and when I configure my > browser to use it as a proxy, it bumps the certs nicely, signing > "fake" certs/etc. I then added an iptables run to redirect outbound > tcp/80 onto port 3129 (see below) and that transparently proxies > all port 80 - great. I then went through the same exercise with > sslbump, but when I put in an iptables rule to redirect outbound > tcp/443 traffic onto 3127, it doesn't bump - it acts like a TCP > forwarder instead. I get a "CONNECT ip.add.ress:443" log record - > no sign of the hostname and no bumping Two critical details: 1) TCP packet headers do not contain hostnames. The "ip.add.ress:443" you see is the tcp/443 dst-IP field on the intercepted traffic. 2) ssl_bump is a "fast" group ACL test. It does not hold up traffic waiting for reverse-DNS lookups on the IP:port details. It just tests the dst-IP against your regex rules and uses the resulting match/non-match to decide between bumping or forwarding. > > http_port 3126 ssl-bump cert=/etc/squid/squid-CA.cert > capath=/etc/ssl/certs/ generate-host-certificates=on > dynamic_cert_mem_cache_size=256MB options=ALL http_port 3129 > transparent https_port 3127 transparent ssl-bump > cert=/etc/squid/squid-CA.cert capath=/etc/ssl/certs/ > generate-host-certificates=on dynamic_cert_mem_cache_size=256MB > options=ALL > > acl SSL_nonHTTPS_sites dstdom_regex > "/etc/squid/SSL_nonHTTPS_sites.txt" acl SSL_noIntercept_sites > dstdom_regex "/etc/squid/SSL_noIntercept_sites.txt" ssl_bump none > SSL_nonHTTPS_sites ssl_bump none SSL_noIntercept_sites ssl_bump > server-first all > > So these older search-engine pages I came across claimed this > should work with squid, but either I am missing something, or this > doesn't work in 3.4.9? The TCP forwarding behaviour occurs when your "ssl_bump none" rules match the IP address of the intercepted tcp/443 traffic. So it comes down to what your regex files contain and what TCP dst-IPs your Squid is processing. Both of the details you have elided from your description. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUYI0uAAoJELJo5wb/XPRjgJYIAOGC63EWkAgnxBnUv0nO9mMK iFmrirjVS6bH0i7tao8meAqEc0npz0h5h/6IFvwt+NVeks0sdq0zFN5624SZKD4M sb4flKyDZdvnCMl9tVxKnVGQDLZU/wDV2xoEFA+nsIo2mwurn3+5o1YEZ2eCV14T MXfdt4d7M1L2ReQGL/s12wcNnLLXyHdw1Se4wqZEYOn2+t3H7s6+q2gfe5/pqs8k KMVfLc3EkaUnCeNduJ/W9sNJ4zb2Oa7m3vpzDjLR2/2c+lt/HfnrurXhZQdx+Tb5 EbBaI1yOrqPOGP7bfsA6kgECy+Qn5rJHXM2Db768DWCEFJSOf7kdopclGjRLhpQ= =qeWj -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
