On 4/09/19 12:29 am, fansari wrote:
> Thank you for your reply.
>
> If I drop the keyword "intercept" I get this error message when starting
> squid:
>
> FATAL: ssl-bump on https_port requires tproxy/intercept which is missing.
>
> Using "tproxy" does not help me either - I also end up with 403.
>
> What I want to achieve with my scenario is just caching of https content.
What you have configured is *a* valid configuration for that to happen.
Your test is what is wrong _for that port_.
>
> Regarding the clients of the real scenario: this will be a Chromium
> application so I could setup a .pac file for example. But before testing
> this I want to have a successful curl test.
>
Aha. This was the critical missing information.
That means the http_port and ssl_bump lines are what you actually need
to be using.
Remove that https_port line entirely.
Also, remove these lines:
"
acl bumpedPorts myportname 3129
http_access allow CONNECT bumpedPorts
http_access allow CONNECT our_proxy
"
Instead you should have your normal http_access rule(s) for determining
which clients are allowed to use the proxy. If they are allowed to use
the proxy they are allowed to do CONNECT already for the https:// traffic.
Test it like this:
curl --proxy 192.168.0.1:3128 --cacert ${CERT} https://example.com/
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
