Re: [squid-users] squid 3.0.19 + transparent + sslbump

From: Stefan Reible <mail_at_stefan-reible.de>
Date: Wed, 24 Mar 2010 14:16:57 +0100

Zitat von Amos Jeffries <squid3_at_treenet.co.nz>:

> Leonardo Carneiro - Veltrac wrote:
>>
>> Amos Jeffries wrote:
>>> Some factums worth knowing:
>>>
>>> * 3.0 does not support sslBump or any other form of HTTPS
>>> man-in-middle attacks. 3.1 is required for that.
>>>
>>> * sslBump in 3.1 requires that the client machines all have a CA
>>> certificate installed to make them trust the proxy for decryption.
>>>
>>> * sslBump requires clients to be configured for using the proxy.
>>> (Some of the 'transparent' above work this way some do not.)
>>>
>>> Amos
>> Hi Amos. What is the vantage of use sslBump if I cannot use a
>> transparent proxy with it? Is the ability to cache SSL content?
>> Tks in advance.
>
> Somewhat. Mostly for corporate networks AV scanning or filtering
> HTTPS connections.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
> Current Beta Squid 3.1.0.18
>

Transparent https is working with squid 3.1.0.15_beta-r1.
With transparent I meen, that the browser request will routed to
squids without any configuration.

iptables:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT
--to-destination 192.168.1.1:3129

squid.conf:
http_port 127.0.0.1:3128
http_port 192.9.200.32:3128 transparent
https_port 192.9.200.32:3129 transparent sslBump
cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem
key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem

Only Problem I have, that the browser gives warnings, because
certificate didn`t pass to domain!

Can I get other problems with cookie or something else?

Can I run this squid version in productivity environment?

Now I will test it for some hours..

Regards,
Stefan
Received on Wed Mar 24 2010 - 13:17:02 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 24 2010 - 12:00:06 MDT