[squid-users] Unable to get bump-server-first working with intercept from dococ on 2013-09-12 (squid-users)

From: dococ <apoptygma+squid_at_gmail.com>
Date: Thu, 12 Sep 2013 19:14:06 -0700 (PDT)

I've been trying for some time to get a transparent proxy with https
interception working.
I've read a number of guides and most have fairly obvious mistakes (which
were not obvious when I started this project)
I've successfully created a CA and upon registering this CA on a connected
client am able to intercept https when using squid in an explicit
configuration however bump + transparent is still not working.

i've built squid 3.3.8 with --enable-ssl --enable-ssl-crtd

Currently i've got the following config

output from iptables

----------------------------
# Generated by iptables-save v1.4.14 on Fri Sep 13 11:23:36 2013
*nat
:PREROUTING ACCEPT [482:102521]
:INPUT ACCEPT [127:11625]
:OUTPUT ACCEPT [256:16542]
:POSTROUTING ACCEPT [8:1004]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
-A POSTROUTING -o wwan0 -j MASQUERADE
-A POSTROUTING -o wwan0 -j MASQUERADE
--------------------------------

and squid.conf as follows:

--------------------------------
visible_hostname server
httpd_suppress_version_string on
forwarded_for off
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow localnet
http_access deny manager
http_access deny all

http_port 3128 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

always_direct allow all
ssl_bump server-first all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5

----------------------------------

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Unable-to-get-bump-server-first-working-with-intercept-tp4662105.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Fri Sep 13 2013 - 02:14:08 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 13 2013 - 12:00:07 MDT