On 29/01/20 4:32 pm, aashutosh kalyankar wrote: > As suggested, I removed the settings for explicit proxy and have NAT > move the HTTP/HTTPs request to squid intercept ports, and all the web > traffic is now going through the proxy server (I see certs and > connection requests in the cache log file). > > I have a follow-up question. Any idea how do we accurately test to make > sure if SSL bump is happening for a connection? Use any tools that you like which can show the TLS server certificate and CA certificate that signed it. * When 'bump' action takes place the certificate will be signed by the CA cert you configured Squid to use. * When 'splice' action takes place the certificate will be its normal one. > I have doubts as I was expecting, "Your connection is not Private" error > when no CA cert on my browser. That message does not mean what the hype claims. It is security theatre by the Browser folks to force web developers to use TLS / HTTPS. > CA cert or no CA cert in my cert-manager > does not affect the connection. *That* is a worry. You should at least see a difference between those two cases. > Also, I read in some articles that > dropbox and apple app store will not work if SSL Bump is active, but it > works for me without any issues. That depends on device type and such details. Squid is also constantly improving in these areas. > I was able to verify that websites in the ssl::server_name acl whitelist > do not use squid generated certs for connection, as expected. > > Squid file: >> acl localnet src 172.22.22.0/24 <http://172.22.22.0/24> >> acl localnet src 172.16.10.0/24 <http://172.16.10.0/24> >> acl localnet src 172.18.10.0/24 <http://172.18.10.0/24> >> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8> acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports >> http_access allow localnet >> http_access allow localhost >> >> http_access deny all >> http_port 3129 intercept >> https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_certs/myCA1.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB >> acl step1 at_step SslBump1 >> acl step2 at_step SslBump2 >> acl step3 at_step SslBump3 >> acl nobumpSites ssl::server_name "/etc/squid/whitelist.txt" >> >> ssl_bump peek step1 all No need for that "all". >> ssl_bump splice nobumpSites >> ssl_bump stare step2 >> ssl_bump bump step3 Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
