Re: [squid-users] https could not access with ssl bump in squid 3.4

From: Jerry OELoo <oyljerry_at_gmail.com>
Date: Wed, 26 Feb 2014 15:06:04 +0800

Hi Amos:
Thanks for your quick feedback.
1) I do not much understand your said about connect to host
10.64.12.100, I just find it in B (10.64.12.101) squid cache.log,

2) I do not add any other setting in squid.conf about interception.

3) As you mentioned, https_port requires NAT interception, so in my
scenario, A, B are in the same LAN, and I want to A use B as HTTPS
proxy, and I want to use SSL bump to monitor A's HTTPS content. so is
there any way that can meet it?

On Wed, Feb 26, 2014 at 2:36 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 2014-02-26 16:15, Jerry OELoo wrote:
>>
>> Hi All:
>> I am new to Squid, I want to try its SSL Bump, Please kindly check as
>> below. Thanks in advance.
>>
>> Network topology:
>>
>> A, client, Windows7, IP: 10.64.12.100,
>> B, Proxy server, Ubuntu, running Squid, IP: 10.64.12.101
>>
>
> Okay. However that log snippet below says that the website your client is
> trying to connect to is being hosted on 10.64.12.100 port 32843.
>
>
>
>> kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
>> local=10.64.12.101:3130 remote=10.64.12.100:32843 FD 12 flags=33: (92)
>> Protocol not available
>
>
> How is the interception being done?
>
>
>
>> # Https Port
>> https_port 3130 intercept ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB
>> cert=/usr/local/etc/squidcert/certs/proxyCert.pem
>> key=/usr/local/etc/squidcert/private/proxyKey.pem
>>
>
> This port configuration requires NAT interception.
>
> Amos

-- 
Rejoice,I Desire!
Received on Wed Feb 26 2014 - 07:06:12 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 26 2014 - 12:00:06 MST