Search squid archive

Re: Problems with peek and slice through parent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jul 11, 2018 at 7:03 PM Hess, Niklas <Niklas.Hess@xxxxxxxxxxxxxxxxx> wrote:

Hello list,

 

I´m setting up a Squid proxy specifically to scan the incoming traffic from a cloud platform.

ClamAV should scan the incoming traffic.

 

So far so good.

 

The cloud uses WebDAV over HTTPS, so I have to SSL-Bump the incoming traffic via Peek and Splice Feature.

That works indeed with the CA signed internal Certificate.

 

But as soon as I add a cache_peer as a “parent proxy” it does not work. (This request could not be forwarded to the origin server or to any parent caches.)

I just get “FwdState.cc(813) connectStart: fwdConnectStart: Ssl bumped connections through parent proxy are not allowed” in the cache.log

 

And yes I know ssl-bump through a parent proxy is an security issue and might be unsecure, but the connection to the parent is internal, save and secure.

I don’t know how, but could there be a way to “comment out” the section in fwdConnectStart source file?

 

Squid Cache: Version 3.5.27

Service Name: squid

configure options:  '--with-openssl' '--enable-ssl-crtd'

 

 

Here´s my “minimal” SSL-Bump config:

 

### Start config

 

debug_options ALL,6

shutdown_lifetime 1 seconds

 

http_port 8080 ssl-bump cert=/usr/local/squid/etc/ssl_cert/Squidtest.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

 

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 25 startup=5 idle=10

 

cache_peer 10.106.3.66 parent 8080 0 no-query no-digest name=parent

 

never_direct allow all

 

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER

 

ssl_bump bump all

​Did you forget to copy at_step acls?

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
 

 

http_access allow all

 

 

### End config

 

Thanks for any help!

Niklas

 


Azubi Niklas Hess
Team Applikation-Management

Eigenbetrieb Informationstechnologie des Wetteraukreises
61169 Friedberg
Europaplatz
Gebäude B
Tel.: 06031 83-6526
Mobil:
Fax.: 06031 83-916526
www.wetteraukreis.de

Informationen zum Datenschutz erhalten sie über unsere Datenschutzseite www.datenschutz.wetterau.de
Diese E-Mail enth

ält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


--

- Kedar
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux