On 11/5/19 1:26 AM, John Lowry wrote: > I've tried many, many different settings and I always get traffic > bumped. Here is an example: > http_port 3128 intercept > > https_port 3129 intercept tls-cert=/etc/squid/ssl_cert/myCA.pem > tls-key=/etc/squid/ssl_cert/myCA.pem The above configuration does not enable SslBump features. > ssl_bump peek step1 > ssl_bump peek step2 > ssl_bump splice step2 These rules are poorly written (the last one will never match), but they are unused because the port directives do not enable SslBump. If an SSL connection is bumped (or even peeked at!) with the above configuration, then there is a Squid bug somewhere. However, I do not think your TLS connections are actually bumped. Please see below. > I've tried setting debug_options to 9 but cannot see anything useful in > the logs to indicate why it is not splicing. I always just see the full > set of request headers in the logs for HTTPS connections, indicating > that the connection is bumped. I suspect your Squid is acting as an intercepting HTTPS proxy: It terminates all intercepted SSL connections as if they were directed at the Squid instance itself. The end result will look similar to bumping from "I can see the headers" point of view. You may be able to tell the difference by looking at certificate details: With an HTTPS proxy, all connections will have the same leaf myCA.pem certificate as opposed to mimicked origin server certificate signed by myCA.pem. There may be other, more obvious signs like the details of the "Accepting..." lines that Squid reports at startup. > One thing I did notice is that the ssl logformat options do not work. I > get errors like this on restart: > FATAL: Can't parse configuration token: '%ssl::>sni' Was your Squid built with OpenSSL support? The details are version-specific, but you can find them (and the configuration result) using the following commands: ./configure --help | fgrep -5i ssl squid -v Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
