Thank you for the swift response Alex, my main goal is to be able to use suricata or snort to analyze the decrypted https traffic/payload. Suricata/Snort is looking at the interface and naturally will only see the https messages encrypted as the squid server receives the messages encrypted and sends them out encrypted. So I am actually trying to send the proxied https messages decrypted. I hope that makes sense.... Sorry if I misunderstood your explanation and all the help is greatly appreciated so thank you ! Best regards- Sam Castellano ----- Original Message ----- From: "Alex Rousskov" <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> To: "Sam Castellano" <scastellano@xxxxxxxxxxxxxxx>, "squid-users" <squid-users@xxxxxxxxxxxxxxxxxxxxx> Sent: Friday, April 17, 2020 11:49:13 AM Subject: Re: ssl proxy and decrypted forwarding On 4/17/20 11:22 AM, Sam Castellano wrote: > My question relates to ssl bumping and potentially Icap/Ecap > functionality. I currently have ssl bump/ interception working and > communicating with a local ICAP server. Im trying to understand the > process of how the decrypted data gets sent to the ICAP server for > analysis in things such as clamav etc. My goal is to have the decrypted > traffic analyzed by Suricata preferably on a separate box if possible. I do not know what particular information you are looking for, but ICAP mechanics are documented in RFC 3507 while eCAP mechanics are documented at www.e-cap.org. If you are worried about exposing proxied HTTP[S] messages in transit to your ICAP service, then consider using a "Secure ICAP" service (for a starting point, look for those two words in squid.conf.documented). N.B. Neither ICAP nor eCAP know about SslBump. In an SslBump context, they just get CONNECT requests and the HTTP messages decrypted by Squid. The same is true for the majority of Squid features -- while inside Squid, decrypted HTTP traffic is usually handled similar to plain HTTP traffic. HTH, Alex.
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
