Hi, I needed to setup Squid as a transparent proxy with SSL bumping for only one single https website. The goal was to bump https connections to this website with its offical signed SSL certificate.
As an illustration: Website/hostname: https://abc.mydomain.com DNS: abc.mydomain.com A 1.2.3.4 Official wildcard certificate: CN = *.mydomain.com (server.crt, server.key) I used Squid 3.4.10 from CentOS repository and configured iptables DNAT rules for intercepting. Squid config: https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key> acl MYSITE dst 1.2.3.4 ssl_bump server-first MYSITE ssl_bump none all Everything worked perfectly. All traffic to https://abc.mydomain.com was bumped for caching purposes, all traffic to other https websites was simply tunneled. Squid did not need to generate faked server certificates and clients were left untouched (no proxy settings, no self-signed CA). Now some parts of the website are delivered by Amazon CloudFront. CloudFront has the SSL certificate installed (same official signed certificate as mentiod above). Additional website/hostname: https://xyz.mydomain.com DNS: xyz.mydomain.com CNAME <distribution>.cloudfront.net Official wildcard certificate: CN = *.mydomain.com (server.crt, server.key) I cannot simply extend my ACL with all destination IPs used by CloudFront, because these are shared IPs and CloudFront needs to know which domain/hostname is asked to provide the correct certificate. Usually a client uses the SNI extension of TLS to transmit the required domain/hostname. I have heard of the new "SSL Peek and Splice" feature in Squid 3.5 but don't get it working (Squid 3.5.9). My assumption is that I have to use in Squid's config: https_port <squid-ip>:3443 intercept ssl-bump cert=<server.crt> key=<server.key> acl MYSITE ssl:server_name .mydomain.com ssl_bump bump MYSITE ssl_bump splice all This results in tunneling all https traffic, nothing will be bumped and cached. I'm a little bit confused about the documentation: Under the headline "Processing steps": Step 2: 1. Get TLS clientHello info, including SNI where available. Under the headline "Actions": peek/stare Receive client SNI (step1), ... Is it possible to achieve my goal with Squid in transparent mode? In other words: Is there a way to bump https connections to destinations with shared IPs? Best, Stefan
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
