RE: [squid-users] squid 3.2.0.17 + transparent + sslbump

From: Daniel Niasoff <daniel.niasoff_at_intelliworkspace.com>
Date: Tue, 17 Apr 2012 10:16:04 +0000

Thanks Ahmed,

That worked, well sort of anyway.

Squid is now successfully transparently intercepting SSL but as stated on the wiki, certificate rewrite doesn't work.

So I guess the only real solution is explicit proxy.

I tried to play around with WPAD + PAC but that is only useful when PCs are on a corporate network with centrally managed DNS/DHCP.

My clients are home users with their own broadband routers which manage their own DHCP.

So any ideas what I can do if I want to set up a proxy service for SSL with minimum effort required from users and no control of DHCP?

Thanks

Daniel

-----Original Message-----
From: Ahmed Talha Khan [mailto:auny87_at_gmail.com]
Sent: 17 April 2012 10:21
To: Daniel Niasoff
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] squid 3.2.0.17 + transparent + sslbump

> Hi
>
> I know this question has been asked before but I didn't quite comprehend the answer.
>
> I have got squid working as an explicit SSL proxy using SSLbump with Dynamic SSL certs.
>
> I have also managed to get it working as a transparent proxy.
>
> When I try the combination of the above 2 it doesn't seem to  work.
>
> It seems to be rewriting my https requests to http. Also dynamic ssl certs doesn't seem to be working. However squid definitely intercepts the request so it seems like the NAT bit is fine.

I am not sure about the code in 3.2 but i faced a similar issue in
3.1.19 and i think the problem is still lurking in 3.2 as well. You might want to look at http://bugs.squid-cache.org/show_bug.cgi?id=2976. There is a hard-coded value that causes all requests to be forcibly written to "http" even "https".
You can reverse it via this patch
http://bugs.squid-cache.org/attachment.cgi?id=2375

>
> When I browse a website that's listening on 443 only I get "Zero Sized Reply" and when I browse a website  that's listening on both 80/443 it works sometimes but the certificate is wrong.
>
> This person seems to have it working
>
> http://dvas0004.wordpress.com/2011/03/22/squid-transparent-ssl-interce
> ption/
>
> and I am pretty much copying his config.
>
> Here is my relevant config
>
> ---------------------------------------------------------------
> http_port 3128 transparent
> https_port 3129 transparent ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.pem
> http_port 8080 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.pem
>
> always_direct allow all
> ssl_bump allow all
> # the following two options are unsafe and not always necessary:
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> --------------------------------------------------------------
>
> Thanks
>
> Daniel
>
>

--
Regards,
-Ahmed Talha Khan
Received on Tue Apr 17 2012 - 10:16:09 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 17 2012 - 12:00:03 MDT