[squid-users] SSL_Bump issue

From: Darren Breeze <darren.j.breeze_at_gmail.com>
Date: Mon, 3 Feb 2014 07:11:15 +0800

Hi

I am writing an icap application to do https intercept for a local
application. I have used Squid 3.4.2 setup ssl_bump as follows:

 ==========================================================================

http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid3/ssl_cert/myCA.pem

always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable off
# icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0
icap://127.0.0.1:1345/outbound
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0
icap://127.0.0.1:1345/inbound
adaptation_access service_resp allow all

===========================================================================

 

It's all working and I can see the un-encrypted boby of pages such as
https://news.google.com in the icap application.

However, some of the news story thumbnails are failing to load as they are
being loaded off another https server eg.

https://lh3.googleusercontent.com/-TrtEHOgcMFE/AAAAAAAAAAI/AAAAAAAAAAA/K547x
_dy1bY/s32/photo.jpg

other urls load ok coming off various servers eg.

https://t2.gstatic.com/images?q=tbn:ANd9GcQEUL_w18SM0m00j_JjU0KhoxaQ0MmrovPP
V8-w_RclRK6RslWtD6ZUOmTfkOVu6dTnjbAUbeQ

I am guessing that squid would have to manage a large list of server certs
just to load this page and there is some limit I need to set higher?

Not sure.

Don't worry about the https intercept, I am just trying to add phrase
filtering to a proxy so I can lock down the kids PC at home better, this is
nothing nasty.
Received on Sun Feb 02 2014 - 23:11:33 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 03 2014 - 12:00:04 MST