Search squid archive

SSL bumping without faked server certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I needed to setup Squid as a transparent proxy with SSL bumping for only one single https website.
The goal was to bump https connections to this website with its offical signed SSL certificate.

As an illustration:

Website/hostname: https://abc.mydomain.com
DNS: abc.mydomain.com A 1.2.3.4
Official wildcard certificate: CN = *.mydomain.com (server.crt, server.key)

I used Squid 3.4.10 from CentOS repository and configured iptables DNAT rules for intercepting.

Squid config:
https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key>
acl MYSITE dst 1.2.3.4
ssl_bump server-first MYSITE
ssl_bump none all

Everything worked perfectly. All traffic to https://abc.mydomain.com was bumped for caching purposes,
all traffic to other https websites was simply tunneled. Squid did not need to generate faked server certificates
and clients were left untouched (no proxy settings, no self-signed CA).

Now some parts of the website are delivered by Amazon CloudFront. CloudFront has the SSL certificate installed
(same official signed certificate as mentiod above).

Additional website/hostname: https://xyz.mydomain.com
DNS: xyz.mydomain.com CNAME <distribution>.cloudfront.net
Official wildcard certificate: CN = *.mydomain.com (server.crt, server.key)

I cannot simply extend my ACL with all destination IPs used by CloudFront, because these are shared IPs and
CloudFront needs to know which domain/hostname is asked to provide the correct certificate. Usually a client
uses the SNI extension of TLS to transmit the required domain/hostname.

I have heard of the new "SSL Peek and Splice" feature in Squid 3.5 but don't get it working (Squid 3.5.9).

My assumption is that I have to use in Squid's config:
https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key>
acl MYSITE ssl:server_name .mydomain.com
ssl_bump bump MYSITE
ssl_bump splice all

This results in tunneling all https traffic, nothing will be bumped and cached. I'm a little bit confused about the
documentation:

Under the headline "Processing steps":
Step 2:

  1. Get TLS clientHello info, including SNI where available. 

Under the headline "Actions":
peek/stare Receive client SNI (step1), ...

Is it possible to achieve my goal with Squid in transparent mode?
In other words: Is there a way to bump https connections to destinations with shared IPs?

Best,
Stefan

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux