Hey Antony,
Thanks for the quick response.
- What sort of firewall is this?
The firewall is a Cisco FTDv 6.6.
- What does "HTTPS inspect" actually mean? - How does the firewall "inspect" HTTPS traffic, which by design is encrypted between client and server (neither of which is the firewall)? - What does "inspect" mean? What information is revealed from the inspection of the encrypted communication?
It's doing something they call 'decrypt and resign'. Similar to how ssl_bump works, so would putting the firewall certificate on the Squid server's trusted certificates source be enough?
Why? Where would the proxy servers need to be instead, in order for this inspection to work?
Good question, their documentation says the following:
HTTP proxy limitation
The system cannot decrypt traffic if an HTTP proxy is positioned between a client and your managed device, and the client and server establish a tunneled TLS/SSL connection using the CONNECT HTTP method. The Handshake Errors undecryptable action determines how the system handles this traffic.
Alternatively, how does/would it work if the proxy were not there, and clients communicated directly to the Internet through the firewall?
If the proxy wasn't there, it looks like it works the same as ssl_bump.
Have you asked the suppliers / authors / vendors of the firewall?
Not yet but I will be doing so today.
If it's the firewall telling you there's a problem, this doesn't entirely feel like a Squid question.
Okay, what if we removed the firewall and replaced it with another squid proxy server, where that is also doing ssl_bump. I assume this would work but are there negative implications of doing so? Appreciate you taking the time. Thanks, Will
On Tuesday 04 January 2022 at 01:19:28, Will BMD wrote:Hey all, I currently have the following network topology, it's emulating a real world environment. The proxy is running ssl_bump. LAN <-> Squid Proxy <-> Firewall <-> Internet >From the Firewall's perspective all client connections are originating as the proxy server.Okay, that makes good sense.We're wanting to use the https inspect feature of the firewall,Please give more details? - What sort of firewall is this? - What does "HTTPS inspect" actually mean? - How does the firewall "inspect" HTTPS traffic, which by design is encrypted between client and server (neither of which is the firewall)? - What does "inspect" mean? What information is revealed from the inspection of the encrypted communication?but according to our firewall documentation it appears due to the location of our proxy servers we would be unable to do so.Why? Where would the proxy servers need to be instead, in order for this inspection to work? Alternatively, how does/would it work if the proxy were not there, and clients communicated directly to the Internet through the firewall?My question is, if the proxy is behaving as a MITM between itself and the client, can't the Firewall do the same thing between itself and the proxy?I agree. Have you asked the suppliers / authors / vendors of the firewall?I suspect it is possible, but might potentially involve a lot of headaches and a big hit on performance?Who knows? If it's the firewall telling you there's a problem, this doesn't entirely feel like a Squid question. Antony.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
