[squid-users] squid ssl transparent proxy

From: <johnmccain_2_at_libero.it>
Date: Thu, 27 Feb 2014 19:13:49 +0100 (CET)

hi everyone,

i hope someone can help me :) i have this problem:

squid is running as a ssl transparent proxy, and at the moment it's receiving
all the traffic with these two iptables rules:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port
3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port
3130

so far no problem at all. everything works perfect ... but when i add any
simple acl to block a ssl website, i get this browser's error: ssl connection
error (ERR_SSL_PROTOCOL_ERROR)

also, if i try to run squid with the line currently commented in the conf
pasted below, i get a certificate error (domain mismatch) from the client.

http_port 3128 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/proxy_matrix-
test_com.crt key=/usr/local/squid/ssl_cert/squid.key
acl broken_sites dstdomain google.it
ssl_bump none localnet
ssl_bump none broken_sites
#ssl_bump server-first all
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5

(proxy_matrix-test_com.crt is signed by a recognized certification authority)

any ideas ?

thanks.
Received on Thu Feb 27 2014 - 18:13:57 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 28 2014 - 12:00:06 MST