Squid configuration directive ssl_bump

Available in: 3.HEAD   3.5   3.4   3.3   3.2   3.1  

History:

Changes in 3.5 ssl_bump

Bumping 'modes' redesigned as 'actions' and ACLs evaluated repeatedly in a number of steps.

Renamed server-first as bump action.

Renamed none as splice action.

New actions peek and stare to receive client or server certificate while preserving the ability to later decide between bumping or splicing the connections later.

New action terminate to close the client and server connections.

Changes in 3.3 ssl_bump

New action types none, client-first, server-first. The default is none.

Use of allow/deny is now deprecated and they should be removed as soon as possible. To retain the exact same behaviour between 3.3 and older releases replace deny with none, and allow with client-first. However an upgrade to server-first is the recommended.

NOTE: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.

Changes in 3.1 ssl_bump

New Access control for which CONNECT requests to an http_port marked with an ssl-bump flag are actually "bumped". Please see the ssl-bump flag of an http_port option for more details about decoding proxied SSL connections. DEFAULT: No requests are bumped.

NOCOMMENT_START
# Example: Bump all requests except those originating from localhost and
# those going to webax.com or example.com sites.
#
# acl broken_sites dstdomain .webax.com
# acl broken_sites dstdomain .example.com
# ssl_bump deny localhost
# ssl_bump deny broken_sites
# ssl_bump allow all
        

For older versions see the linked page above

Configuration Details:

Option Name:ssl_bump
Replaces:
Requires:--with-openssl
Default Value:Become a TCP tunnel without decrypting proxied traffic.
Suggested Config:

	This option is consulted when a CONNECT request is received on
	an http_port (or a new connection is intercepted at an
	https_port), provided that port was configured with an ssl-bump
	flag. The subsequent data on the connection is either treated as
	HTTPS and decrypted OR tunneled at TCP level without decryption,
	depending on the first matching bumping "action".

	ssl_bump <action> [!]acl ...

	The following bumping actions are currently supported:

	    splice
		Become a TCP tunnel without decrypting proxied traffic.
		This is the default action.

	    bump
		Establish a secure connection with the server and, using a
		mimicked server certificate, with the client.

	    peek
		Receive client (step SslBump1) or server (step SslBump2)
		certificate while preserving the possibility of splicing the
		connection. Peeking at the server certificate (during step 2)
		usually precludes bumping of the connection at step 3.

	    stare
		Receive client (step SslBump1) or server (step SslBump2)
		certificate while preserving the possibility of bumping the
		connection. Staring at the server certificate (during step 2)
		usually precludes splicing of the connection at step 3.

	    terminate
		Close client and server connections.

	Backward compatibility actions available at step SslBump1:

	    client-first
		Bump the connection. Establish a secure connection with the
		client first, then connect to the server. This old mode does
		not allow Squid to mimic server SSL certificate and does not
		work with intercepted SSL connections.

	    server-first
		Bump the connection. Establish a secure connection with the
		server first, then establish a secure connection with the
		client, using a mimicked server certificate. Works with both
		CONNECT requests and intercepted SSL connections, but does
		not allow to make decisions based on SSL handshake info.

	    peek-and-splice
		Decide whether to bump or splice the connection based on 
		client-to-squid and server-to-squid SSL hello messages.
		XXX: Remove.

	    none
		Same as the "splice" action.

	All ssl_bump rules are evaluated at each of the supported bumping
	steps.  Rules with actions that are impossible at the current step are
	ignored. The first matching ssl_bump action wins and is applied at the
	end of the current step. If no rules match, the splice action is used.
	See the at_step ACL for a list of the supported SslBump steps.

	This clause supports both fast and slow acl types.
	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

	See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.


	# Example: Bump all requests except those originating from
	# localhost or those going to example.com.

	acl broken_sites dstdomain .example.com
	ssl_bump splice localhost
	ssl_bump splice broken_sites
	ssl_bump bump all

 

Back

Search

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors