> -----Original Message-----
> From: Amos Jeffries [mailto:squ...@treenet.co.nz]
> Sent: Saturday, May 11, 2013 6:01 AM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] SQUID / transparent proxying
>
> Really? "seamlessly"? I think you did not have it working at all then.
Thanks for the response. Perhaps more information will help.
> This same exact configuration will work identically in in all squid-2.6+ and
> squid-3.0+, even the 3.2/3.2 versions. Traffic will be terminated by Squid
> using
> the *single* static certificate you configured Squid with.
> All clients will get a popup on *every* HTTPS site they visit warning about a
> hijack by your proxy unless you have configured them to trust your
> self-signing
> CA.
> If you see anything different you have either *not* intercepted the traffic
> like
> you thought. Or the SSL on your network is fundamentally broken beyond repair.
The https_ports are configured for the web sites' CN that they are terminating.
> Ah, *NAT* is not working on the Squid box. This is unrelated to the HTTPS
> parts.
>
> The NAT operations _must_ be done on the Squid box. Use policy routing
> to move packets between machines without NAT to get them to the Squid box.
I have read that. My particular configuration is a bit different...
Squid is terminating SSL for several domains.
www.domain1.com
www.domain2.com
foobar.domain1.com
The external facing Internet IPs have a destination NAT on an external facing
device. IE:
www.domain1.com -> 1.2.3.4 -> 10.10.0.50
www.domain2.com -> 1.2.3.5 -> 10.10.0.60
foobar.domain1.com -> 1.2.3.4 -> 10.10.0.50
Example excerpt SQUID 2.6 configuration:
https_port 10.10.0.50:443 cert=/etc/squid/keys/wildcard.domain1.com.crt
key=/etc/squid/keys/wildcard.domain1.key
cipher=RC4-MD5:RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA options=NO_SSLv2
transparent
https_port 10.10.0.60:443 cert=/etc/squid/keys/www.domain2.com.crt
key=/etc/squid/keys/www.domain2.key
cipher=RC4-MD5:RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA options=NO_SSLv2
transparent
url_rewrite_host_header off
url_rewrite_program /etc/squid/redirector-https.pl
acl TheOriginServer dstdomain www.domain1.com
acl TheOriginServer dstdomain www.domain2.com
acl TheOriginServer dstdomain foobar.domain1.com
http_access allow TheOriginServer
http_access deny all
Hosts file pointing to internal load balancer IPs:
10.10.0.150 www.domain1.com
10.10.0.150 foobar.domain1.com
10.10.0.160 www.domain2.com
Works great. Provides client termination, URI re-writes, and caching of static
content. I have been unable to successfully configure Squid 3.3 in a similar
fashion. I have been using the new intercept with ssl-bump on the https_port
and ssl_bump client-first TheOriginServer. I have tried several different
things unsuccessfully. Do you have any thoughts how I can maintain this
configuration with Squid 3.3?
Please pardon the confidentiality notice message.
Thanks,
Warner
CONFIDENTIALITY STATEMENT: All information included in this Communication,
including attachment(s), is intended solely for delivery and authorized use by
the intended recipient(s), and may contained privileged, confidential,
proprietary and/or trade secret information entitled to protection and/or
exempt from disclosure under applicable law. If you are not the intended
recipient, please note that any use, distribution or copying of this
Communication is unauthorized and may be unlawful. If you have received this
Communication in error, please notify the sender and delete this Communication
from your computer.
