Re: [squid-users] Only checking URLs via Squid for SSL

From: Nicolás <nicolas_at_devels.es>
Date: Sun, 24 Aug 2014 10:32:01 +0100

Hi Amos,

El 24/08/2014 0:52, Amos Jeffries escribió:
> On 24/08/2014 1:00 a.m., Nicolás wrote:
>> Hi,
>>
>> I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP,
>> but I'd like to avoid cacheing HTTPS sites, and just determine whether
>> the requested URL is listed as denied on Squid (via 'acl dstdom_regex'
>> for instance), otherwise just make squid act as a proxy to the URL's
>> content. Is that even possible without using SSL Bump? Otherwise, could
>> you recommend the simplest way of achieving this?
>>
> No it is only possible with bumping. For transparent interception of
> port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum,
> preferrably squid-3.5 with peek-n-splice when it comes out.
>
> If you bump and still do not want to cache for some reason the cache
> access control can be used like so:
>
> acl HTTPS proto HTTPS
> cache deny HTTPS
>
>
> Amos
>

I finally installed Squid 3.4.6 from source with --enable-ssl and
--enable-ssl-crtd options and put the corresponding configuration line
for ssl-bump:

     https_port 0.0.0.0:3130 intercept ssl-bump
cert=/opt/certs/server.crt key=/opt/certs/server.key

This cert is self-signed and evidently it produces the
'sec_error_untrusted_issuer' error on the clients' browsers. Would that
warning desappear if I used a recognized CA to sign that cert that would
match the Squid box's FQDN, or is the installation of the autosigned
cert on every client's browser the only option here?

Thanks!
Received on Sun Aug 24 2014 - 09:32:16 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 24 2014 - 12:00:06 MDT