Hmm, ok, I found the thread (I think) you were referring to. I've
essentially got transparent proxying setup, naturally with an SSL cert
that shows people what's going on.
That's fine. Employees know this, and these are work machines, and they
are only to access work sites on them.
So, I've seen that people have been using various virus / malware
checkers with squid. Anyone have any recommendations? Or, perhaps more
importantly, does anyone have any warnings about the bugginess of a
product? ;)
How's squidclamav?
On Tue, 29 Jul 2008 14:03:31 +1200
Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Brad Barnett wrote:
> >
> > Hey all,
> >
> > I've compiled squid-3.HEAD-20080728.tar.gz, and all seems to be
> > working fine in a general respect.
> >
> > However, I can't seem to get sslBump working. I have squid setup as a
> > transparent proxy, and that part is working fine. However, when I add
> > the following lines, and use iptables to redirect port 443 traffic to
> > squid, generally squid just sits, stalled, forever.
>
> IIRC, sslBump was not designed to allow interception of port 443.
> What it does is decrypt HTTPS sent as CONNECT requests through the
> proxy.
>
> There was some discussion about ways to hack it up to do the
> interception. I think there may have been a little more coding needed
> for that. You will have to google the archives and find the original
> threads on this.
>
> Amos
>
> >
> > I turned up the debug log, but didn't even see any cogent information
> > indicating that sslbump, or any ssl traffic was being attempted.
> >
> > Any ideas? Note, while I show 'http_port 3129' below, I also tried
> > using port 3128, as per the example on the wiki.
> >
> > Thanks
> >
> >
> > # configure the HTTP port to bump CONNECT requests
> > http_port 3129 sslBump cert=/usr/local/squid/etc/server.crt
> > key=/usr/local/squid/etc/server.key
> >
> > # avoid bumping requests to sites that Squid cannot proxy well
> > acl broken_sites dstdomain .webax.com
> > ssl_bump deny broken_sites
> > ssl_bump allow all
> >
> > # ignore certain certificate errors or
> > # ignore errors with certain cites (very dangerous!)
> > acl TrustedName url_regex ^https://weserve.badcerts.com/
> > acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> > sslproxy_cert_error allow TrustedName
> > sslproxy_cert_error allow BogusError
> > sslproxy_cert_error deny all
>
>
> Amos
> --
> Please use Squid 2.7.STABLE3 or 3.0.STABLE8
Received on Tue Jul 29 2008 - 13:20:24 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 29 2008 - 12:00:04 MDT