|
Hi all, Squid 3.5.20 I am attempting to configure the following Port 3128 = Accepts CONNECT requests with SSL Bump for all sites Port 3129 = HTTP port for transparent proxy Port 3130 = HTTPS port for transparent proxy – NO SSL Bump, all sites should always TUNNEL Is the above config possible? The relevant sections of my config are #TANSPARENT http_port 10.0.0.36:3129 https_port 10.0.0.36:3130 #CONNECT http_port 10.0.0.36:3128 ssl-bump \ cert=/etc/squid/ssl_cert/squid-ca-cert.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB #Permissions http_access allow localnet http_access allow localhost http_access deny all ##Steps acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 #Bump Rules ssl_bump peek step1 ssl_bump bump all ssl_bump splice all All appears to work correctly, apart from transparent connections for HTTPS. These are getting bumped. According to the logs 2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(218) doAccept: New connection on FD 30 2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(293) acceptNext: connection on local=10.0.0.36:3130 remote=[::] FD 30 flags=41 2021/09/04 10:38:54.129 kid1| 33,2| client_side.cc(3920) httpsSslBumpAccessCheckDone: sslBump needed for local=142.250.187.196:443 remote=10.0.1.254:51928 FD 12 flags=33 method 3 Looking at the code, it would appear that because the destination is ALLOWED for the ssl_bump acl, the connection is automatically upgraded to ssl_bump by the httpsSslBumpAccessCheckDone function. But this isn’t what I want. I want ssl_bump
to be completely disabled on my transparent proxy, I only wan to bump connections for connections that have explicitly set their proxy. Any suggestions on how to overcome this, apart from running two copies of squid. Thanks in advance Graham Wharton |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
