On 2013-03-12, Jiri B <ji...@devio.us> wrote: > On Tue, Mar 12, 2013 at 03:59:27PM +0000, Stuart Henderson wrote: >> For 2.7 uou must have the proxy configured specifically in your browser >> for this to work - the SSL interception features are only in 3.x, and >> the "server first" mode which works with transparent (a.k.a. >> interception) proxy needs 3.3. >> >> http://wiki.squid-cache.org/Features/BumpSslServerFirst >> >> (this mode dynamically generates server certificates on-the-fly and >> requires your CA certificate to be installed in browsers to avoid >> validation failure errors). > > I have thought squid could get original IP from divert socket or > was reading from /dev/pf in the past for this reason. > > So you want to say that squid checks HTTP header only? > > jirib > >
If you're doing SSL interception with on-the-fly certificate generation, the IP address isn't enough, you need the hostname so you can put it in the CN field. ServerFirst mode connects to the origin server, fetches the hostname and some other certificate parameters, and generates a new cert based on these; this means that UI for various failure modes (expired certs, invalid hostname etc) can be done at the client side.
