Re: [squid-users] ssl-bump mode

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Mon, 07 Oct 2013 11:35:22 -0600

> On 10/07/2013 09:19 AM, Alex Rousskov wrote:> On 10/07/2013 03:29 AM, Jury Bogdanov wrote:
>>> Hello. I have some problems with ssl-bump mode. Can you help me, please?
>>> My configuration:
>>
>>> https_port 192.168.56.100:3130 transparent ssl-bump
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> cert=/home/mut/squid.pem key=/home/mut/squid.key
>>> acl vk dstdomain .vk.com
>>> ssl_bump server-first vk
>>> http_access deny vk all
>>
>>> But I can open https://vk.com

On 10/07/2013 10:57 AM, Jury Bogdanov wrote:
> In access.log I see CONNECT request to vk's ip

Your vk ACL is not using an IP address, it is using a domain name. The
client is using an IP address in their CONNECT request (this is common
for some clients). It is likely that the reverse DNS lookup of vk's IP
either fails or does not match vk.com. As a result, the vk ACL in your
"ssl_bump server-first" rule does not match and the connection is not
bumped.

To check, you can replace

  ssl_bump server-first vk

with

  ssl_bump server-first all

and see if the CA certificate used to encrypt the response changes to
that of Squid.

BTW, for most purposes,

  http_access deny vk all

is equivalent to

  http_access deny vk

Please double check that that is what you expect/want.

HTH,

Alex.
P.S. Please keep this thread on the mailing list.
Received on Mon Oct 07 2013 - 17:35:53 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 08 2013 - 12:00:21 MDT