On 03/12/2013 01:00 PM, David Touzeau wrote:
> "squid force to bump all websites and change the certificate even an ACL
> is created to deny bump websites."
>
> I would like to know if it is possible to do that ?
Changing server certificates without bumping SSL connections is not
possible. You may want to rephrase or detail what you want to do because
the above summary does not compute (as Alex Crow has noted).
Other than that, using https_port for bumping intercepted SSL
connections is the right approach.
Cheers,
Alex.
> I have set this in the squid.conf
>
> # --------- SSL Listen Port
> https_port 192.168.1.204:3130 intercept ssl-bump
> cert=/etc/squid3/ssl/cacert.pem key= /etc/squid3/ssl/privkey.pem
> # --------- SSL Rules
> ssl_bump deny all
> always_direct allow all
>
> -A PREROUTING -p tcp -m tcp --dport 3128 -j DROP
> -A PREROUTING -p tcp -m tcp --dport 3130 -j DROP
> -A PREROUTING -s 192.168.1.204/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 192.168.1.204/32 -p tcp -m tcp --dport 443 -j ACCEPT
> -A PREROUTING -s 192.168.0.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 192.168.0.4/32 -p tcp -m tcp --dport 443 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 80 -m comment --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -m comment -j REDIRECT
> --to-ports 3130
> -A POSTROUTING -m comment -j MASQUERADE
>
Received on Fri Mar 15 2013 - 22:23:50 MDT
This archive was generated by hypermail 2.2.0 : Sat Mar 16 2013 - 12:00:05 MDT