On 10/26/22 10:43 AM, mingheng wang wrote:
Hello all,
Hi,
Since ssl_bump can generate self signed certificates on the fly, I wonder if this setup is possible, or even just in theory: clients with necessary root CA installed connect to a local Squid. With ssl_bump and self signed certs,
I'm with you so far. I've got such a Monkey in the Middle here at the house.
it always talks with the clients over HTTPS,
Please clarify / confirm if you're talking about HTTPS protection of the client to squid connection. -- I ask because not all clients natively / easily support HTTPS connection to Squid.
N.B. the connection between the client and Squid is completely independent of the connection between Squid and the next upstream server.
making clients believe their connections are secure;
This is the biggest hang up for me. -- I don't think that the HTTPS communications with Squid in and of itself will cause clients to think that an insecure site is actually secure.
My client doesn't show that it has a secure connection to neverssl.com which doesn't support HTTPS (by design) despite communicating with Squid via HTTPS.
the local Squid then forwards the connections to a parent Squid server, which however, will only send data back in plain HTTP, i.e. in clear text, akin to a reverse proxy with ssl termination to its proxied site.
Okay. I'm not sure why you would not have encryption on the downstream child Squid to the upstream parent Squid, but that's your choice.
my goals are to cache data/modify requests even when connecting to https only sites,
Squid's TLS Monkey in the Middle should cache things without any problem. So I don't see the need to do anything extra for this.
while avoiding using self signed certs to encrypt connections over the Internet,
I have no idea where the downstream child Squid is that's doing TLS MitM. Nor do I have any idea where the upstream parent Squid is. So I can't really comment about locality / Internet.
because this way, I can chain an https proxy with trusted certs in between.
"Trusted certs" is sort of ambiguous in this case as your TLS MitM /clients/ *trust* the root cert that the downstream child Squid is using.
I see no reason why you can't use similar methodology to protect the communications between the downstream child Squid to the upstream parent Squid. -- Independent of who the cert used by the upstream parent Squid is from.
If the downstream child Squid has the root CA that signed the upstream parent Squid's TLS certificate in the downstream child Squid root CA store, then the connection between the two Squids is trusted. Even if there are no public CAs involved. }:-)
-- Grant. . . . unix || die
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users