Re: [squid-users] Only checking URLs via Squid for SSL

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 24 Aug 2014 23:29:00 +1200

On 24/08/2014 9:32 p.m., Nicolás wrote:
> Hi Amos,
>
> El 24/08/2014 0:52, Amos Jeffries escribió:
>> On 24/08/2014 1:00 a.m., Nicolás wrote:
>>> Hi,
>>>
>>> I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP,
>>> but I'd like to avoid cacheing HTTPS sites, and just determine whether
>>> the requested URL is listed as denied on Squid (via 'acl dstdom_regex'
>>> for instance), otherwise just make squid act as a proxy to the URL's
>>> content. Is that even possible without using SSL Bump? Otherwise, could
>>> you recommend the simplest way of achieving this?
>>>
>> No it is only possible with bumping. For transparent interception of
>> port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum,
>> preferrably squid-3.5 with peek-n-splice when it comes out.
>>
>> If you bump and still do not want to cache for some reason the cache
>> access control can be used like so:
>>
>> acl HTTPS proto HTTPS
>> cache deny HTTPS
>>
>>
>> Amos
>>
>
> I finally installed Squid 3.4.6 from source with --enable-ssl and
> --enable-ssl-crtd options and put the corresponding configuration line
> for ssl-bump:
>
> https_port 0.0.0.0:3130 intercept ssl-bump
> cert=/opt/certs/server.crt key=/opt/certs/server.key
>
> This cert is self-signed and evidently it produces the
> 'sec_error_untrusted_issuer' error on the clients' browsers. Would that
> warning desappear if I used a recognized CA to sign that cert that would
> match the Squid box's FQDN, or is the installation of the autosigned
> cert on every client's browser the only option here?

If the browser does not trust the signing CA it will warn.

Amos
Received on Sun Aug 24 2014 - 11:29:20 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 25 2014 - 12:00:08 MDT