On 24/11/15 18:26, Amos Jeffries wrote:
That is two separate and entirely different traffic types:

A) [client] -> HTTP--(NAT)--> [my_proxy]

B) [client] -> TLS--(NAT)--> [my_proxy]


(A) requires "http_port ... intercept ssl-bump cert=/path/to/cert"

(B) requires "https_port ... intercept ssl-bump cert=/path/to/cert"

above is the minimum configuration. The generate-* etc settings you
mention below are useful as well.

In order to impersonate the server you also need to fetch the server details (peek or stare at step2), then bump at step3.

Yay, that seems to work! Here is the working config for [my_proxy]:

====
http_port 3128
http_port 8080 intercept
https_port 8443 intercept ssl-bump generate-host-certificates=on \
    dynamic_cert_mem_cache_size=4MB cert=/etc/squid/my-proxy.pem
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

#ssl_bump peek step1    # <- enabling this breaks it
ssl_bump stare step2
ssl_bump bump step3

cache_peer parent.example.com parent 3129 0 no-query ssl
never_direct allow all
====

And two iptables rules:

iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

Now the clients can either go explicitly to proxy on port 3128 or those who don't support setting proxy have [my_proxy] as their default gateway and the transparent proxy setup kicks in.

Thanks a lot Amos for your help!

Michael

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to