[squid-users] ssl-bump not working in non transparent mode
I have setup a squid 3.3.9 with ssl-bump enabled. When i access through transparent mode its working fine but when i use proxy address in my borrower (non transparent mode) its not working. Following is my squid configuration: visible_hostname 10.10.16.56 http_port 10.10.16.56:3127 intercept http_port 10.10.16.56:3128 https_port 10.10.16.56:3129 generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/mycert.pem intercept ssl-bump always_direct allow all ssl_bump server-first all sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB sslcrtd_children 10 hierarchy_stoplist cgi-bin ? negative_ttl 0 icap_enable on icap_send_client_ip on icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/srv_clamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/srv_clamav adaptation_access service_resp allow all
Re: [squid-users] ssl-bump not working in non transparent mode
Hey Nil, Are you aware that you need to use the "ssl-bump" flags and dynamic_cert_mem etc on the forward regular proxy mode? such as: http_port 10.10.16.56:3128 ssl-bump ...(all other settings) For it to work? Eliezer On 06/27/2014 03:45 PM, Nil Nik wrote: http_port 10.10.16.56:3127 intercept http_port 10.10.16.56:3128 https_port 10.10.16.56:3129 generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/mycert.pem intercept ssl-bump
RE: [squid-users] ssl-bump not working in non transparent mode
Thanks for your reply. I used following line & its working fine: http_port 10.10.16.56:3128 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/mycert.pem But now its showing certificate error for every https website. How we can resolve this error? > Date: Sat, 28 Jun 2014 21:47:48 +0300 > From: elie...@ngtech.co.il > To: squid-users@squid-cache.org > Subject: Re: [squid-users] ssl-bump not working in non transparent mode > > Hey Nil, > > Are you aware that you need to use the "ssl-bump" flags and > dynamic_cert_mem etc on the forward regular proxy mode? > such as: > http_port 10.10.16.56:3128 ssl-bump ...(all other settings) > > For it to work? > > Eliezer > > On 06/27/2014 03:45 PM, Nil Nik wrote: >> http_port 10.10.16.56:3127 intercept >> http_port 10.10.16.56:3128 >> https_port 10.10.16.56:3129 generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/mycert.pem intercept ssl-bump >