Zitat von Amos Jeffries <squid3_at_treenet.co.nz>:
> Leonardo Carneiro - Veltrac wrote:
>>
>> Amos Jeffries wrote:
>>> Some factums worth knowing:
>>>
>>> * 3.0 does not support sslBump or any other form of HTTPS
>>> man-in-middle attacks. 3.1 is required for that.
>>>
>>> * sslBump in 3.1 requires that the client machines all have a CA
>>> certificate installed to make them trust the proxy for decryption.
>>>
>>> * sslBump requires clients to be configured for using the proxy.
>>> (Some of the 'transparent' above work this way some do not.)
>>>
>>> Amos
>> Hi Amos. What is the vantage of use sslBump if I cannot use a
>> transparent proxy with it? Is the ability to cache SSL content?
>> Tks in advance.
>
> Somewhat. Mostly for corporate networks AV scanning or filtering
> HTTPS connections.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
> Current Beta Squid 3.1.0.18
>
Transparent https is working with squid 3.1.0.15_beta-r1.
With transparent I meen, that the browser request will routed to
squids without any configuration.
iptables:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT
--to-destination 192.168.1.1:3129
squid.conf:
http_port 127.0.0.1:3128
http_port 192.9.200.32:3128 transparent
https_port 192.9.200.32:3129 transparent sslBump
cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem
key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem
Only Problem I have, that the browser gives warnings, because
certificate didn`t pass to domain!
Can I get other problems with cookie or something else?
Can I run this squid version in productivity environment?
Now I will test it for some hours..
Regards,
Stefan
Received on Wed Mar 24 2010 - 13:17:02 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 24 2010 - 12:00:06 MDT