On 06/21/2012 10:34 AM, A G wrote:
> I am trying to set up squid as a transparent ssl mitm proxy.
You will need to run trunk with a BumpSslServerFirs patch recently
posted on squid-dev. The patch implements the following feature that is
essential for bumping transparent SSL connections in production:
http://wiki.squid-cache.org/Features/BumpSslServerFirst
In my response, I will assume that you are doing the above.
> 1. http_port intercept means squid will place its own ip in the
> packet sent to the destination. Is this correct?
Yes, although the option means more than that, of course.
> 2. http_port tproxy means squid will preserve the client's ip in the
> packet sent to the destination, is this correct?
Yes, although the option means more than that, of course.
> 3. Does ssl bump work only with CONNECT messages? ie clients must have
> their browser set to use squid as a proxy.
No. It works for both CONNECT and intercepted transactions.
> But http://wiki.squid-cache.org/Features/SslBump also says it can mitm
> transparently redirected SSL traffic. So ssl bump works in
> 'transparent/intercept' mode;
Yes, it does, but without BumpSslServerFirst, bumping intercepted
connections generates too many warnings for production use.
> 4. What is the
> point of using http_port (xyz) ssl-bump if port xyz cannot receive ssl
> traffic? Wouldn't ssl-bump ONLY be used with https_port, not http_port?
Use http_port for bumping CONNECT requests.
Use https_port for bumping intercepted SSL connections.
> 5.
> After all this, is it possible to use tproxy with ssl-bump?
Yes.
> That is, do
> SSL man in the middle whilst preserving the client's IP address?
Yes.
HTH,
Alex.
Received on Fri Jun 22 2012 - 16:27:54 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 22 2012 - 12:00:03 MDT