Re: [squid-users] Capabilities of Squid as SSL MITMū

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Fri, 22 Jun 2012 10:27:35 -0600

On 06/21/2012 10:34 AM, A G wrote:

> I am trying to set up squid as a transparent ssl mitm proxy.

You will need to run trunk with a BumpSslServerFirs patch recently
posted on squid-dev. The patch implements the following feature that is
essential for bumping transparent SSL connections in production:
http://wiki.squid-cache.org/Features/BumpSslServerFirst

In my response, I will assume that you are doing the above.

> 1. http_port intercept means squid will place its own ip in the
> packet sent to the destination. Is this correct?

Yes, although the option means more than that, of course.

> 2. http_port tproxy means squid will preserve the client's ip in the
> packet sent to the destination, is this correct?

Yes, although the option means more than that, of course.

> 3. Does ssl bump work only with CONNECT messages? ie clients must have
> their browser set to use squid as a proxy.

No. It works for both CONNECT and intercepted transactions.

> But http://wiki.squid-cache.org/Features/SslBump also says it can mitm
> transparently redirected SSL traffic. So ssl bump works in
> 'transparent/intercept' mode;

Yes, it does, but without BumpSslServerFirst, bumping intercepted
connections generates too many warnings for production use.

> 4. What is the
> point of using http_port (xyz) ssl-bump if port xyz cannot receive ssl
> traffic? Wouldn't ssl-bump ONLY be used with https_port, not http_port?

Use http_port for bumping CONNECT requests.
Use https_port for bumping intercepted SSL connections.

> 5.
> After all this, is it possible to use tproxy with ssl-bump?

Yes.

> That is, do
> SSL man in the middle whilst preserving the client's IP address?

Yes.

HTH,

Alex.
Received on Fri Jun 22 2012 - 16:27:54 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 22 2012 - 12:00:03 MDT