Re: [squid-users] Bypass bumping all websites in SSL transparent mode

From: Alex Crow <alex_at_nanogherkin.com>
Date: Tue, 12 Mar 2013 19:14:05 +0000

I thought ssl_bump should be defined on the http port, not the https
one. However I've not done transparent for ages so I could be wrong.

If you don't want it, why put it in the *_port directives at all?

Alex

On 12/03/13 19:00, David Touzeau wrote:
> Dear
>
> I would like to use Squid 3.3x in transparent SSL mode (in order to
> build a kind of HotSpot systems.)
> My issue is :
>
> "squid force to bump all websites and change the certificate even an
> ACL is created to deny bump websites."
>
> I would like to know if it is possible to do that ?
>
> I have set this in the squid.conf
>
> # --------- SSL Listen Port
> https_port 192.168.1.204:3130 intercept ssl-bump
> cert=/etc/squid3/ssl/cacert.pem key= /etc/squid3/ssl/privkey.pem
> # --------- SSL Rules
> ssl_bump deny all
> always_direct allow all
>
> -A PREROUTING -p tcp -m tcp --dport 3128 -j DROP
> -A PREROUTING -p tcp -m tcp --dport 3130 -j DROP
> -A PREROUTING -s 192.168.1.204/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 192.168.1.204/32 -p tcp -m tcp --dport 443 -j ACCEPT
> -A PREROUTING -s 192.168.0.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 192.168.0.4/32 -p tcp -m tcp --dport 443 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 80 -m comment --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -m comment -j REDIRECT
> --to-ports 3130
> -A POSTROUTING -m comment -j MASQUERADE
>
>
Received on Tue Mar 12 2013 - 19:14:08 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 13 2013 - 12:00:06 MDT