Search squid archive

Re: ssl-bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



@Alex, could you please share the config options that you set while building squid for ssl-bumping. I have been having real tough times in getting it right. Also, which OS are you running it on?

My use case is to enable ssl-bump and cache https content. (documents/videos etc, that are downloaded from an SSL enabled site) 

On 9 February 2016 at 06:54, Alex Samad <alex@xxxxxxxxxxxx> wrote:
Hi

Got this working. wondering what the benefits are, wandering around
google, you tube, facebook not seeing much cache.   Atleast I can pass
downloads through clamav...

Are other people seeing caching of these sites ??


On 9 February 2016 at 11:09, Alex Samad <alex@xxxxxxxxxxxx> wrote:
> got the ACL backwards
>
> # ssl-bump
> # pick up from a file
> #acl NoBump ssl::server_name   /etc/squid/lists/noSSLPeek.lst
>
> # Alex test machine
> acl testIP src  10.172.208.105
>
> # for testing
> acl haveServerName ssl::server_name .google.com
>
>
> # Do no harm:
> # Splice indeterminate traffic.
> ssl_bump splice ! testIP
> ssl_bump splice NoBump
> ssl_bump bump haveServerName
> ssl_bump peek all
> ssl_bump splice all
>
> On 9 February 2016 at 10:52, Alex Samad <alex@xxxxxxxxxxxx> wrote:
>> Hi
>>
>> Starting to look at ssl-bump found
>> http://wiki.squid-cache.org/Features/SslPeekAndSplice
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>>
>> I gather I need to modify my http_port to look someting like
>>
>> http_port 3128 ssl-bump \
>>   cert=/etc/squid/ssl_cert/myCA.pem \
>>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>
>>
>> from http_port 3128
>>
>> I have generated a int CA of our internal CA, the cert option above
>> points to a pem file. does that have pub and private in there ?
>>
>> I wanted to tested this on a specif ip so using
>>
>> # pick up from a file
>> acl NoBump ssl::server_name   /etc/squid/lists/noSSLPeek.lst
>> acl NoBump src  <testip>
>>
>> # for testing
>> acl haveServerName ssl::server_name google.com
>>
>>
>> # Do no harm:
>> # Splice indeterminate traffic.
>> ssl_bump splice NoBump
>> ssl_bump bump haveServerName
>> ssl_bump peek all
>> ssl_bump splice all
>>
>>
>> The way i read this is if I come from an address other then the
>> testip. the connect goes through.
>> But for the test ip I try and peek and if not splice .
>>
>> Create and initialize SSL certificates cache directory <<< where do I
>> set this directory in squid config ?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux