* Bud Miljkovic :
> # Intercept transparent HTTPS traffic
> https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> ssl_bump splice all
> sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
^ I think the p
I am trying to run Squid on the `open-embedded` pyro distro on my target.
Here is the `squid-ota.conf` file which is during the squid start:
```
#Visible hostname
visible_hostname ctct-r2
# An ACL named 'whitelist'
acl whitelist dstdomain '/etc/squid/whitelist.ota'
# Allow whitelisted URLs throu
On 2023-09-28 20:35, Fernando Giorgetti wrote:
Do you have any recommendations on how I could have it done?
I am unable to confirm whether Squid can do what you want or provide
configuration recommendations because I do not yet know how your Squid
will receive traffic (e.g., an intercepting
>
> Bugs notwithstanding, none of the configuration
> sketches I shared previously will do that though.
Do you have any recommendations on how I could have it done?
When my tls client tries to reach the target through Squid, using
a "ssl_bump splice", it seems like squid is trying to reach itself
On 2023-09-28 15:23, Fernando Giorgetti wrote:
Actually with the suggested blind passthrough, Squid would not handle
the TLS termination.
Correct.
how will Squid know what the target is?
In many cases, Squid can learn SNI by peeking at TLS ClientHello,
without terminating TLS. Bugs notwi
Actually with the suggested blind passthrough, Squid would not handle the
TLS termination.
So without a reverse proxy (accel mode), how will Squid know what the
target is?
On Thu, Sep 28, 2023 at 1:02 PM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 2023-09-28 11:31, Fernando Gior
On 2023-09-28 11:31, Fernando Giorgetti wrote:
And what should I do to let Squid use the SNI defined by the TLS client?
What do you want Squid to use that SNI for?
Alex.
On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov wrote:
On 2023-09-28 09:06, Fernando Giorgetti wrote:
> Hi Matu
Hello Alex, thanks for your reply.
And what should I do to let Squid use the SNI defined by the TLS client?
Thanks again,
Fernando
On Thu, Sep 28, 2023 at 11:51 AM Alex Rousskov <
rouss...@measurement-factory.com> wrote:
> On 2023-09-28 09:06, Fernando Giorgetti wrote:
> > Hi Matus, do you mean
On 2023-09-28 00:52, Bud Miljkovic wrote:
# Intercept tranparent HTTPS traffic
https_port 3129 intercept ssl-bump ssl_bump splice all
This should be refactored into two lines:
https_port 3129 intercept ssl-bump ...
ssl_bump splice all
After that, replace "..." above with cert=... and
On 2023-09-28 09:06, Fernando Giorgetti wrote:
Hi Matus, do you mean something like a DNAT (iptables) rule?
If so, I would say, it should work as well.
But this is an environment I do not control, and I have been told to try
using an existing squid installation to proxy non-http/TLS data through
On 28.09.23 10:06, Fernando Giorgetti wrote:
Hi Matus, do you mean something like a DNAT (iptables) rule?
that was my question.
If so, I would say, it should work as well.
If you want simply redirect incoming connections to another IP/port, port
redirector should work just like DNAT.
Bu
Hi Matus, do you mean something like a DNAT (iptables) rule?
If so, I would say, it should work as well.
But this is an environment I do not control, and I have been told to try
using an existing squid installation to proxy non-http/TLS data through.
I appreciate any guidance or recommendation.
* Alex Rousskov :
> > > 2023/09/27 22:42:57| ERROR: Squid BUG: assurance failed:
> > > tok.skip(WellKnownUrlPathPrefix())
> > > exception location: cache_manager.cc(193) ParseUrl
> > > current master transaction: master59170
>
> That bug has been fixed in master/v7. For details, includ
On 2023-09-27 11:08, Dmitry Katsubo wrote:
After upgrading Squid from v4.13-10+deb11u2 (bullseye) to v5.7-2
(bookworm) I started to get about 5 core dumps per day like below.
How can I find out the root of the problem and eliminate it?
On 27.09.23 13:15, Alex Rousskov wrote:
Your Squid is
14 matches
Mail list logo
