-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 My own solution in conjunction with Tor + Privoxy looks like this (Note: for Squid 3.4.13): # Tor acl acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" # SSL bump rules sslproxy_cert_error allow all ssl_bump none localhost ssl_bump none url_nobump ssl_bump none dst_nobump ssl_bump server-first net_bump # Privoxy+Tor access rules never_direct allow tor_url always_direct deny tor_url always_direct allow all # And finally deny all other access to this proxy http_access deny all # Local Privoxy is cache parent cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default cache_peer_access 127.0.0.1 allow tor_url cache_peer_access 127.0.0.1 deny all http_port 3127 http_port 3128 intercept https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt key=/usr/local/squid/etc/rootCA.key sslproxy_capath /etc/opt/csw/ssl/certs sslproxy_options NO_SSLv2 NO_SSLv3 sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB Generally, works like charm. 06.07.15 15:22, adam900710 пишет: > Hi all, > > I tried to build a ssl bumping proxy with up level proxy, but client > failed to connect like the following. > > The error: > --- > $ curl https://www.google.co.jp -vvvv -k > * Rebuilt URL to: https://www.google.co.jp/ > * Trying ::1... > * Connected to localhost (::1) port 3128 (#0) > * Establish HTTP proxy tunnel to www.google.co.jp:443 >> CONNECT www.google.co.jp:443 HTTP/1.1 >> Host: www.google.co.jp:443 >> User-Agent: curl/7.43.0 >> Proxy-Connection: Keep-Alive >> > < HTTP/1.1 200 Connection established > < > * Proxy replied OK to CONNECT request > * ALPN, offering http/1.1 > * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > CApath: none > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > * Unknown SSL protocol error in connection to www.google.co.jp:443 > * Closing connection 0 > curl: (35) Unknown SSL protocol error in connection to www.google.co.jp:443 > --- > > My squid.conf: > --- > # default acls/configs are ignored > cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only > never_direct allow all > ssl_bump peek all > ssl_bump bump all > http_port 3128 ssl-bump \ > cert=/etc/squid/ssl/ca.crt \ > key=/etc/squid/ssl/ca.key \ > generate-host-certificates=on \ > dynamic_cert_mem_cache_size=4MB > --- > > From the cache_peer port, someone may notice that I'm using privoxy. > That's right, as I need to redirect the ssl traffic to SOCKS5 proxy, > or I can't ever access some sites. > > Here is some of my experiments: > 1) Remove "never_direct" > Then ssl_bump works as expected, but all traffic doesn't goes through > the SOCKS5 proxy. So a lot of sites I can't access. > > 2) Use local 8118 proxy > That works fine without any problem, but SSL_dump is needed... > So just prove privoxy are working. > > Any clue? > > Thanks > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVmotBAAoJENNXIZxhPexG0PQIAJ0Cy3o/diVtZsCYPTZ5At8K RuP3wHjahKhXj3xZjLiE+QKWvfr1ehZNWSj4wHF616ciX2w23QbghqNIBbV7Awpl 7JrTIv3L2nR/19uWgmr2FnhCKf2gSeC9j9Za0aBPAv3PoPwkMNmLbdlwq3mG8pey 6Tk8Tsh8+BlfUYXNgO+x/05eyLx6k4ZRV7009E7U3akt5ye+d8vcYXSfwL8+O+ni JReTJ2CwXSakb+Olti+ZTJvJWxI49Szdc3FrAyh7cTe2Bgo8hDTyW9Pj5WNvINYG +LQZUqOBF/YWtvpXbVVWAcJxYyzTGJJE/1+TtfIFEDsULTe4G74wCqsPu5VanM0= =TEp1 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
