On 16/08/18 19:34, David Touzeau wrote: > Thanks Amos for details. > > Working like a charm now. > > Instead of sending https://192.168.1.122:443/myguard.php?rule-id=0&;.... > > Helper sends 192.168.1.122:443 > That is only useful if the server at that IP:port can present the client with a TLS certificate valid for the server the client thinks it is connected to. ie all the SSL-Bump equivalent logics are in that server. In which case there is likely no point to having the traffic NAT'ed to Squid. Just have your NAT and/or routing send it directly into that server. > > " url_rewrite_access deny CONNECT" is not a solution because, everything using SSL today ( thanks to Google that wants to encrypt all the Net and make proxies/Firewall/ICAP unusable ) and many Porn/Malwares/Hacking/Hacked websites using SSL. > If you are SSL-Bump'ing in Squid then you need to not rewrite the initial CONNECT message (or two) - doing so will interfere the server which bumping is interacting with. IIRC the at_step ACL type can be used in the *_access rules as well to skip ("deny CONNECT foo") the helper query until the ssl_bump processing is expected to be completed. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
