Re: [squid-users] Squid and SSL interception (ssl-bump)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 01 Nov 2012 11:59:46 +1300

On 01.11.2012 04:33, Heinrich Hirtzel wrote:
> Hello
>
> For a school project I'm trying to intercept SSL connections by using
> Squid (client -> squid (transparent) -> server).
> I'm running Squid 3.1.20 on Ubuntu server 12.10 (64 bit) using the
> following configuration:
>
> *************************************
> http_port 10.0.1.1.:3128 intercept
> https_port 10.0.1.1.:443 ssl-bump
> cert=/user/local/squid3/ssl_cert/myCA.pm
>
> acl our_networks src 10.0.1.0/24
> http_access allow our_networks
> forwarded_for off
> ssl_bump allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> *************************************
>
> I've
> complied squid with SSL support (--enable-ssl). When starting Squid
> I
> do not get any error message. Also, proxying http traffic works
> without
> any problems.
>
> However, when I try to establish a HTTPS session
> through squid, the client retrieves the SSL certificate from squid,
> but
> after accepting it the browser displays an error message from squid
> that
> the URL is invalid:
>
> "The following error was encountered while trying to retrieve the
> URL: /.
>
> Invalid URL"
>
> In the Squid access.log I see the following line:
> "<timestamp> 0 10.0.1.5 NONE/440 3503 GET / - NONE/- text/html"
>
> It
> appears that squid does strips away the hostname / domain name of
> the
> URL the client tries to access, which causes the error message
> mentioned
> above.
>
> I've already spent hours in finding a solution for this
> problem and went through dozens of tutorials, unfortunately I wasn't
> able to find a solution so far.
>
> Any ideas what could be wrong?

You are missing the intercept flag on https_port. That is what tells
Squid how to interpret the URL and TCP layer differences in the port 80
and 443 syntax traffic.

Amos
Received on Wed Oct 31 2012 - 22:59:49 MDT

This archive was generated by hypermail 2.2.0 : Thu Nov 01 2012 - 12:00:05 MDT