On 22/12/2015 2:34 a.m., dc wrote: > > Am 19.12.2015 um 00:52 schrieb Amos Jeffries: >> Why not? >> * NAT/TPROXY is mandatory to happen on the Squid machine directly since >> kernel and Squid are performing integrated operations. >> * PROXY protocol passes the ORIGINAL_DST explicitly over the wire. >> * SSL-Bump all happens "inside Squid". >> >> Those are the only forms of interception Squid supports. >> > Thanks for making that clear! I fixed my setup accordingly. Squid now > gathers original IP addresses from NAT. > I also enabled host_verify_strict, which should make sure requests are > always sent to correct IP addresses. Is there an equivalent setting for > peek-and-spliced HTTPS connections? Or does host_verify_strict cover > that case as well? This would be important, since otherwise a malicious > application could bypass the whitelist ACLs I have installed. The SSL-Bump code is still undergoing polishing and still very much experimental / volatile, so YMMV on vulnerability but it wont be CVE-2009-0801. That is just because the situation is rather different with TLS/SSL. Server certificates are involved to authenticate the connection level details. The TLS connections with server-first style of bumping are also setup and pinned at the TCP layer before HTTP mesages get involved. So the outbound connection has nothing to do with the HTTP message Host header on the intercepted/decrypted messages. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users