Great thanks,I'll try it later. Thanks 2015年7月6日 22:06于 "Yuri Voinov" <yvoi...@gmail.com>写道:
> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > My own solution in conjunction with Tor + Privoxy looks like this (Note: > for Squid 3.4.13): > > # Tor acl > acl tor_url url_regex -i "/usr/local/squid/etc/url.tor" > > # SSL bump rules > sslproxy_cert_error allow all > ssl_bump none localhost > ssl_bump none url_nobump > ssl_bump none dst_nobump > ssl_bump server-first net_bump > > # Privoxy+Tor access rules > never_direct allow tor_url > always_direct deny tor_url > always_direct allow all > > # And finally deny all other access to this proxy > http_access deny all > > # Local Privoxy is cache parent > cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default > > cache_peer_access 127.0.0.1 allow tor_url > cache_peer_access 127.0.0.1 deny all > > http_port 3127 > http_port 3128 intercept > https_port 3129 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt > key=/usr/local/squid/etc/rootCA.key > sslproxy_capath /etc/opt/csw/ssl/certs > sslproxy_options NO_SSLv2 NO_SSLv3 > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB > > Generally, > > works like charm. > > 06.07.15 15:22, adam900710 пишет: > > Hi all, > > > > I tried to build a ssl bumping proxy with up level proxy, but client > > failed to connect like the following. > > > > The error: > > --- > > $ curl https://www.google.co.jp -vvvv -k > > * Rebuilt URL to: https://www.google.co.jp/ > > * Trying ::1... > > * Connected to localhost (::1) port 3128 (#0) > > * Establish HTTP proxy tunnel to www.google.co.jp:443 > >> CONNECT www.google.co.jp:443 HTTP/1.1 > >> Host: www.google.co.jp:443 > >> User-Agent: curl/7.43.0 > >> Proxy-Connection: Keep-Alive > >> > > < HTTP/1.1 200 Connection established > > < > > * Proxy replied OK to CONNECT request > > * ALPN, offering http/1.1 > > * Cipher selection: > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > > * successfully set certificate verify locations: > > * CAfile: /etc/ssl/certs/ca-certificates.crt > > CApath: none > > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > > * Unknown SSL protocol error in connection to www.google.co.jp:443 > > * Closing connection 0 > > curl: (35) Unknown SSL protocol error in connection to > www.google.co.jp:443 > > --- > > > > My squid.conf: > > --- > > # default acls/configs are ignored > > cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only > > never_direct allow all > > ssl_bump peek all > > ssl_bump bump all > > http_port 3128 ssl-bump \ > > cert=/etc/squid/ssl/ca.crt \ > > key=/etc/squid/ssl/ca.key \ > > generate-host-certificates=on \ > > dynamic_cert_mem_cache_size=4MB > > --- > > > > From the cache_peer port, someone may notice that I'm using privoxy. > > That's right, as I need to redirect the ssl traffic to SOCKS5 proxy, > > or I can't ever access some sites. > > > > Here is some of my experiments: > > 1) Remove "never_direct" > > Then ssl_bump works as expected, but all traffic doesn't goes through > > the SOCKS5 proxy. So a lot of sites I can't access. > > > > 2) Use local 8118 proxy > > That works fine without any problem, but SSL_dump is needed... > > So just prove privoxy are working. > > > > Any clue? > > > > Thanks > > _______________________________________________ > > squid-users mailing list > > squid-users@lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJVmotBAAoJENNXIZxhPexG0PQIAJ0Cy3o/diVtZsCYPTZ5At8K > RuP3wHjahKhXj3xZjLiE+QKWvfr1ehZNWSj4wHF616ciX2w23QbghqNIBbV7Awpl > 7JrTIv3L2nR/19uWgmr2FnhCKf2gSeC9j9Za0aBPAv3PoPwkMNmLbdlwq3mG8pey > 6Tk8Tsh8+BlfUYXNgO+x/05eyLx6k4ZRV7009E7U3akt5ye+d8vcYXSfwL8+O+ni > JReTJ2CwXSakb+Olti+ZTJvJWxI49Szdc3FrAyh7cTe2Bgo8hDTyW9Pj5WNvINYG > +LQZUqOBF/YWtvpXbVVWAcJxYyzTGJJE/1+TtfIFEDsULTe4G74wCqsPu5VanM0= > =TEp1 > -----END PGP SIGNATURE----- > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
