On 23/11/23 23:05, Andrea Venturoli wrote:
Hello.
I've got the following config:
...
http_port 8080 ssl-bump cert=/usr/local/etc/squid/proxyCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump
cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
...
acl step1 at_step SslBump1
ssl_bump splice !bumphosts
ssl_bump splice splicedom
ssl_bump peek step1
ssl_bump bump all
...
So I've got port 8080 where proxy-aware client connect and 3129, which
is feeded intercepted https connection by ipfw.
Problem is: if a client connects explicitly via proxy (port 8080) it
gets SSLBumped; if a client simply connects to its destination https
port (so directed to 3129) it is tunneled.
Anything wrong in my config?
FYI, Intercepted traffic first gets interpreted as a CONNECT tunnel to
the TCP dst-IP:port and processed by http_access to see if the client is
allowed to make that type of connection.
To guess based on the info provided above I suspect that the
fake-CONNECT raw-IP does not match your "bumphosts" ACL test. Causing
that "ssl_bump splice !bumphosts" to occur.
That behaviour is why we typically recommend doing "peek" first, then
the splice checks can be based on whatever TLS SNI value is found.
For further assistance please also show your http_access and ACL config
lines. They will be needed for a better analysis of what is going on.
I think it worked in the past: has anything changed in this regard with
Squid 6?
Changed since what version? Over time a lot of small changes can add up
to large differences.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
