Search squid archive

Re: ssl-bump and accel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is what needs to be done to get it to work in squid >3.5 in function ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const Dns::LookupDetails &dns):

modify:
    }
    debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");

to:
    }
    if (!Config.onoff.hostStrictVerify) {
                if ((ia != NULL) && (ia->count > 0)) {
                        unsigned short _port = clientConn->local.port();
                        clientConn->local = ia->in_addrs[0];
                        clientConn->local.port(_port);
                        http->request->flags.hostVerified = true;
                        http->doCallouts();
                        return;
                }
    }
    debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");

On Wed, Jan 6, 2016 at 2:14 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 6/01/2016 8:30 a.m., Nir Krakowski wrote:
> how can you combine accel proxy with ssl-bump ?
>

To use accel mode the proxy needs to be an origin for the domain and
thus have access to the servers TLS private keys. If you have those keys
just use a normal https_port (note the 's') to receive the traffic - no
bumping (TLS MITM) required.


> the problem: intercept mode looks at IP addresses
>
> requested solution: we need to look at the SNI info..

You dont seem to understand intercept mode. It is TCP level MITM.
All the proxy receives from TCP is IP address and port details. So those
are considered *first*.

Only if those details are acceptible (in the form of "CONNECT raw-IP
HTTP/1.1") does Squid go on to do the additional complexity of MITM at
the TLS level.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux