[squid-users] Squid sslBump traffic inspection

From: Alex Font <afont_at_open3s.com>
Date: Tue, 9 Jun 2009 12:44:22 +0200 (CEST)

Hi All,

I've recently installed Squid 3.1 and configured with sslBump feature in
order to inspect the https traffic using the squid-in-the-middle method,
(for legal purposes).
The browser gets the certificate right (fake certificate), but when i make
a tcpflow to see the http headers, i see all the traffic encrypted... is
there a way to inspect the traffic? what i'm doing wrong?

I configured squid sslBump feature as follows:

########################
log_mime_hdrs on
debug_options ALL,9
#########################
#visible_hostname localhost
ssl_bump allow all
acl BogusError ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BogusError
sslproxy_cert_error deny all
always_direct allow all
########################################################################
cache_store_log /usr/var/logs/store.log
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.26.0.0/16 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
#http_port 3128
http_port 3128 sslBump cert=/usr/etc/nova.pem
hierarchy_stoplist cgi-bin ?
refresh_pattern ^http: 1440 20% 10080 override-expire override-lastmod
reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth
refresh_pattern ^https: 1440 20% 10080 override-expire override-lastmod
reload-into-ims ignore-reload ignore-no-cache ignore-private ignore-auth
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /usr/var/cache

I also tried with c-icap server and configured Squid as a client of it,
but i receive a lot of error such as:

Laucher.cc(72) noteAdaptationQueryAbort: cannot retry the failed ICAP
xaction; tries: 1; final: 1;
AsyncJob.cc(218) dial: Adaptation::Icap::Xaction::noteCommConnected threw
exception: cannot connect to ICAP service.

Please, any help would be appreciated!!

Thanks in advance,
Alex.
Received on Wed Jun 10 2009 - 23:45:27 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 12:00:03 MDT