Re: [squid-users] Bypass bumping all websites in SSL transparent mode

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Fri, 15 Mar 2013 16:23:47 -0600

On 03/12/2013 01:00 PM, David Touzeau wrote:

> "squid force to bump all websites and change the certificate even an ACL
> is created to deny bump websites."
>
> I would like to know if it is possible to do that ?

Changing server certificates without bumping SSL connections is not
possible. You may want to rephrase or detail what you want to do because
the above summary does not compute (as Alex Crow has noted).

Other than that, using https_port for bumping intercepted SSL
connections is the right approach.

Cheers,

Alex.

> I have set this in the squid.conf
>
> # --------- SSL Listen Port
> https_port 192.168.1.204:3130 intercept ssl-bump
> cert=/etc/squid3/ssl/cacert.pem key= /etc/squid3/ssl/privkey.pem
> # --------- SSL Rules
> ssl_bump deny all
> always_direct allow all
>
> -A PREROUTING -p tcp -m tcp --dport 3128 -j DROP
> -A PREROUTING -p tcp -m tcp --dport 3130 -j DROP
> -A PREROUTING -s 192.168.1.204/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 192.168.1.204/32 -p tcp -m tcp --dport 443 -j ACCEPT
> -A PREROUTING -s 192.168.0.4/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 192.168.0.4/32 -p tcp -m tcp --dport 443 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 80 -m comment --to-ports 3128
> -A PREROUTING -p tcp -m tcp --dport 443 -m comment -j REDIRECT
> --to-ports 3130
> -A POSTROUTING -m comment -j MASQUERADE
>
Received on Fri Mar 15 2013 - 22:23:50 MDT

This archive was generated by hypermail 2.2.0 : Sat Mar 16 2013 - 12:00:05 MDT