On 19/05/2016 2:14 a.m., se@xxxxxx wrote: > Hello! > > I am currently setting up a squid server, which should serve as a > transparent proxy in our network. > > We mainly need it to do the following: > Allow and Block Domains on HTTP and HTTPS protocol (withOUT bumping the > traffic). We only want to allow domain names on the SSL port, no URLs. > > It actually works fine for HTTP, but I can't configure the "peek and > splice" method for the HTTPS traffic. > > I have come to a point, where HTTP access is being filtered exactly as I > wanted to, but following odd error occures when visiting HTTPS sites: > > When using "https_port 10.0.0.222:3130 cert=/root/cert.pem > key=/root/key.pem ssl-bump intercept" > I get an Access Denied Error for any Website I try to access, which > occured while "trying to retrieve the URL: 10.0.0.222:3130"! > It appears you are not doing NAT on the Squid machine. That is mandatory for interception. > If I configure the https_port option with "accel vhost allow-direct" > like the http_port, the allowed Pages work fine but with squid's > certificate. 'accel' mode is very much *not* transparent, nor equivalent to intercept mode. Using 'accel' mode tells Squid *it* is supposed to be the public origin server for the received web request. The behaviour differences are not very visible in plain-text HTTP - though there are some. In TLS the differences are very much visible in the way the certificates are used. Which you are now seeing. > > Somewhere the Squid seems to redirect his actual https traffic back to > itself when using the "intercept" option and that is why I cannot use > the splice method. 'intercept' mode tells Squid to lookup the NAT details and obey the requirements of acting "transparent" with regards to traffic delivery. Delivering it to the same place it was originally going to when it entered the machine. If you are doing NAT external to the Squid machine it is your NAT setup which is causing the problem. Not Squid. Your message reads to me like Squid is behaving correctly for the modes of operation you configured it to follow. You need to fix the NAT setup. Route or tunnel the trafic to the Squid machine and do the NAT there. Then intercept and SSL-Bump will start working, for both http_port and https_port. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users