[squid-users] Implementing SslBump using Bump-Server-First in Transparent mode using squid-3.HEAD-20121231-r12554

Hello Everyone,

I've successfully managed to configure sslbump with
squid-3.HEAD-20121231-r12554.

However, I am having troubles in configuring SslBump using
Bump-Server-First in Transparent mode. Basically I don't think I have
the correct set of directives/configuration parameters in squid.conf
to check/test SslBump using Bump-Server-First in Transparent mode. Any
help on making this work is much appreciated.

Redirecting traffic on port 80 & 443 to squid via iptables,

iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT
--to 192.168.2.1:3128
#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j DNAT
--to 192.168.2.1:3129

Squid was compiled using the following flags,
./configure --enable-icap --enable-ssl --enable-ssl-crtd
--enable-delay-pools --with-openssl=/usr/local/openssl-1.0.0g

squid.conf
visible_hostname server
httpd_suppress_version_string on
forwarded_for off

acl allow_machine src 192.168.2.200
http_access allow allow_machine

acl whitelist dstdomain "/usr/local/squid/etc/custom/whitelisted-domains"
http_access deny !whitelist

acl blockfiles urlpath_regex
"/usr/local/squid/etc/custom/blacklisted-file-extensions"
deny_info http://192.168.2.1/error.html blockfiles
http_access deny blockfiles

acl lan src 192.168.2.0/24
http_access allow lan

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/ssl_cert/myCA.pem

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 5

always_direct allow all
ssl_bump client-first all
sslproxy_flags DONT_VERIFY_PEER

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/spool 7000 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/coredumps

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Received on Mon Dec 31 2012 - 12:38:06 MST