On 06/06/2017 08:22 AM, Madonna, A. (spir-it) wrote: > Know issue 2012 squid proxy 3.2 > > http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss1.1 > •SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers.
> + 5 years ago this already was a known issue. Apparently even after > + 5 years there is still proper solution. Can we expect anything > regarding this in the near future? FWIW, I am not aware of anybody working on this problem. Going forward, your options include those outlined at the following FAQ entry: http://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F > This person already describes the issue in his blog and offers a solution > although its not perfect. > https://www.mydlp.com/using-parent-proxy-ssl-bump-enabled-squid-3-2/ Yes, one can replace one problem with another. Or, to be more precise, since we are apparently talking about going back to Squid v3.2, one can replace one problem with a large bag of different problems. Pick your poison. > also it is still not clear to me if the traffic is encrypted again > after leaving the squid proxy when doing ssl bump when using a parent > proxy. Bugs notwithstanding, the HTTPS traffic leaving moderns Squids is encrypted. The workaround at the above link re-introduces an old bug that allows Squid to emit decrypted traffic. Alex. > -----Oorspronkelijk bericht----- > Van: Alex Rousskov [mailto:[email protected]] > Verzonden: vrijdag 2 juni 2017 17:59 > Aan: Madonna, A. (spir-it) <[email protected]>; > [email protected] > Onderwerp: Re: [squid-users] FW: squid proxy 3.5 redhat 7.3 > > On 06/02/2017 01:37 AM, Madonna, A. (spir-it) wrote: > >> Clients -> squid proxy -> internet. >> This works with the config as previously mentioned. > > OK. > > >> Clients -> squid proxy (with cache_peer) -> Parent Proxy (not Squid) >> -> internet Does not work. > > Even for regular HTTP traffic and non-bumped HTTPS traffic? If that traffic > does not work, then you have misconfigured something or the Parent Proxy is > badly broken. There is nothing special in the above setup as far as regular > traffic is concerned. > > >> However I've also setup the following: >> >> Cleints -> Squid Proxy (with cache_peer) -> Parent Proxy (Squid Proxy) >> -> internet >> >> This seems at least to work for http traffic, however, I don't see any HTTPS >> traffic coming into the Parent Proxy (Squid). > > Squid does not know who made the parent proxy. The fact that one (presumably > production-quality) proxy "does not work" and another "seems to work" implies > that something is seriously misconfigured in one or both cases. > > >> Now this morning I will do some more tcpdumping to see where that traffic is >> going, but maybe you can already shed some light on this? > > I cannot shed more light on problems described only as "does not work" > and "no traffic". > > Alex. > > >> -----Oorspronkelijk bericht----- >> Van: Alex Rousskov [mailto:[email protected]] >> Verzonden: donderdag 1 juni 2017 18:49 >> Aan: Madonna, A. (spir-it) <[email protected]>; >> [email protected] >> Onderwerp: Re: [squid-users] squid proxy 3.5 redhat 7.3 >> >> On 06/01/2017 10:09 AM, Madonna, A. (spir-it) wrote: >>> can we use ssl_bump to intercept https traffic with a parent proxy >>> (cache_peer). >> >> IIRC, you may be able to use limited SslBump features, but not the full >> SslBump functionality: Peeking or staring at the origin server through a >> cache_peer is not supported (yet). >> >> >>> ssl_bump peek step1 >>> cache_peer ... parent 8080 0 no-query no-netdb-exchange no-digest >> >> Bugs notwithstanding, the above combination should work because peeking at >> step1 does not require communication with a cache_peer and splicing at step2 >> should follow the regular (non-SslBump) tunneling path for CONNECTs, where >> modern Squids do support cache peers. >> >> >> I recommend that you make everything work without a cache_peer and then add >> a cache_peer. >> >> Alex. >> >> >> ________________________________ >> >> Informatie van de Raad voor de rechtspraak, de rechtbanken, de gerechtshoven >> en de bijzondere colleges vindt u op www.rechtspraak.nl. >> _______________________________________________ >> squid-users mailing list >> [email protected] >> http://lists.squid-cache.org/listinfo/squid-users >> > _______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
