> Hi > > I know this question has been asked before but I didn't quite comprehend the > answer. > > I have got squid working as an explicit SSL proxy using SSLbump with Dynamic > SSL certs. > > I have also managed to get it working as a transparent proxy. > > When I try the combination of the above 2 it doesn't seem to work. > > It seems to be rewriting my https requests to http. Also dynamic ssl certs > doesn't seem to be working. However squid definitely intercepts the request > so it seems like the NAT bit is fine.
I am not sure about the code in 3.2 but i faced a similar issue in 3.1.19 and i think the problem is still lurking in 3.2 as well. You might want to look at http://bugs.squid-cache.org/show_bug.cgi?id=2976. There is a hard-coded value that causes all requests to be forcibly written to "http" even "https". You can reverse it via this patch http://bugs.squid-cache.org/attachment.cgi?id=2375 > > When I browse a website that's listening on 443 only I get "Zero Sized Reply" > and when I browse a website that's listening on both 80/443 it works > sometimes but the certificate is wrong. > > This person seems to have it working > > http://dvas0004.wordpress.com/2011/03/22/squid-transparent-ssl-interception/ > > and I am pretty much copying his config. > > Here is my relevant config > > --------------------------------------------------------------- > http_port 3128 transparent > https_port 3129 transparent ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.pem > http_port 8080 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.pem > > always_direct allow all > ssl_bump allow all > # the following two options are unsafe and not always necessary: > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > -------------------------------------------------------------- > > Thanks > > Daniel > > -- Regards, -Ahmed Talha Khan
