Re: [squid-users] Squid SSL Bump transparently CONNECT for another proxy

From: Jatin Bhasin <>
Date: Tue, 10 Jun 2014 20:00:00 +1000


1) But because of firewall rules settings, the only way we can connect
to internet is through PROXY2. PROXY1 will not be allowed to connect
to internet. So cannot go to internet via PROXY1 and still needs to
bump the connection to see the decrypted traffic.
So what are my options? Should I be looking towards changing squid
code to handle this scenario?


On Sun, Jun 8, 2014 at 12:20 PM, Amos Jeffries <> wrote:
> On 8/06/2014 10:03 a.m., Jatin Bhasin wrote:
>> Hello,
>> 1) I have to bump the SSL request because I want to pass the decrypted
>> traffic to the eCap adapter so that I can look for viruses in the
>> traffic and block them if found.
>> 2) I cannot inroduce Proxy1 in the client browser. The only option I
>> have is PROXY1 sitting in the middle of Client and PROXY2 and then
>> PROXY1 should decrypt the traffic and send it to the ecap adapter for
>> virus checking and block them.
> Okay so far so good.
> Use intercept rules in the PROXY1 machines networking stack *without*
> the intercept flag in squid.conf. PROXY1 does not have to do any network
> level un-NAT hacks to process requests destined explicitly to itself or
> any other HTTP proxy.
> You may encounter problems getting the decoded traffic back to PROXY2
> though. The released Squid versions do not yet generate CONNECT requests
> for upsream unless one is intercepting port 443 traffic and *bypassing*
> the ssl-bump.
> PROXY1 will try to use port 443 HTTPS itself.
> Amos
Received on Tue Jun 10 2014 - 10:00:12 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 12:00:04 MDT