My apologies, that config snippet was not correct. Besides I’ve managed to configure it using localport acl’s to detect which port the request came in on and bump accordingly. Not sure if this is the best way. Thanks for listening. For info for anyone else interested acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl connectport localport 3128 http_port 10.0.0.36:3129 intercept https_port 10.0.0.36:3130 intercept ssl-bump \ cert=/etc/squid/ssl_cert/squid-ca-cert.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB http_port 10.0.0.36:3128 ssl-bump \ cert=/etc/squid/ssl_cert/squid-ca-cert.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB http_access allow localnet http_access allow localhost http_access deny all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump bump connectport ssl_bump peek all ssl_bump splice all Cheers Graham From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
On Behalf Of Graham Wharton Hi all, Squid 3.5.20 I am attempting to configure the following Port 3128 = Accepts CONNECT requests with SSL Bump for all sites Port 3129 = HTTP port for transparent proxy Port 3130 = HTTPS port for transparent proxy – NO SSL Bump, all sites should always TUNNEL Is the above config possible? The relevant sections of my config are #TANSPARENT http_port 10.0.0.36:3129 https_port 10.0.0.36:3130 #CONNECT http_port 10.0.0.36:3128 ssl-bump \ cert=/etc/squid/ssl_cert/squid-ca-cert.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB #Permissions http_access allow localnet http_access allow localhost http_access deny all ##Steps acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 #Bump Rules ssl_bump peek step1 ssl_bump bump all ssl_bump splice all All appears to work correctly, apart from transparent connections for HTTPS. These are getting bumped. According to the logs 2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(218) doAccept: New connection on FD 30 2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(293) acceptNext: connection on local=10.0.0.36:3130 remote=[::] FD 30 flags=41 2021/09/04 10:38:54.129 kid1| 33,2| client_side.cc(3920) httpsSslBumpAccessCheckDone: sslBump needed for local=142.250.187.196:443 remote=10.0.1.254:51928 FD 12 flags=33 method 3 Looking at the code, it would appear that because the destination is ALLOWED for the ssl_bump acl, the connection is automatically upgraded to ssl_bump by the httpsSslBumpAccessCheckDone function. But this isn’t what I want. I want ssl_bump
to be completely disabled on my transparent proxy, I only wan to bump connections for connections that have explicitly set their proxy. Any suggestions on how to overcome this, apart from running two copies of squid. Thanks in advance Graham Wharton |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users