Peek and Splice for websites using HSTS

Ashish Patil <ashish.patil@xxxxxxxxxxxxxx> · Fri, 10 Apr 2015 19:52:37 +0530

Hello,

I am trying to set up Peek and Splice using Squid 3.5.3. I'm facing issues setting it up for website that have HSTS enabled, like google.com and twitter.com.

My squid.conf is:
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl/myCA.pem
acl step3 at_step SslBump3
acl sslBumpAllowedDstDomain dstdomain google.co.in
ssl_bump peek step3 all
ssl_bump splice sslBumpAllowedDstDomain
ssl_bump bump all

The output of access.log is:
1428674512.281    511 192.168.3.31 TCP_MISS/301 634 GET http://google.co.in/ - ORIGINAL_DST/173.194.117.23 text/html
1428674512.703    348 192.168.3.31 TCP_MISS/302 1106 GET http://www.google.co.in/ - ORIGINAL_DST/173.194.117.24 text/html
1428674512.706      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443 - HIER_NONE/- -
1428674512.711      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443 - HIER_NONE/- -
1428674515.883      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674515.956      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674515.965      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674516.006      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674526.310      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674526.327      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674526.335      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -
1428674526.411      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443 - HIER_NONE/- -

Any input would be welcome.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users