On Wed, Jul 11, 2018 at 7:03 PM Hess, Niklas <niklas.h...@webit-wetterau.de> wrote:
> Hello list, > > > > I´m setting up a Squid proxy specifically to scan the incoming traffic > from a cloud platform. > > ClamAV should scan the incoming traffic. > > > > So far so good. > > > > The cloud uses WebDAV over HTTPS, so I have to SSL-Bump the incoming > traffic via Peek and Splice Feature. > > That works indeed with the CA signed internal Certificate. > > > > But as soon as I add a cache_peer as a “parent proxy” it does not work. > (This request could not be forwarded to the origin server or to any parent > caches.) > > I just get “FwdState.cc(813) connectStart: fwdConnectStart: Ssl bumped > connections through parent proxy are not allowed” in the cache.log > > > > And yes I know ssl-bump through a parent proxy is an security issue and > might be unsecure, but the connection to the parent is internal, save and > secure. > > I don’t know how, but could there be a way to “comment out” the section in > fwdConnectStart source file? > > > > Squid Cache: Version 3.5.27 > > Service Name: squid > > configure options: '--with-openssl' '--enable-ssl-crtd' > > > > > > Here´s my “minimal” SSL-Bump config: > > > > ### Start config > > > > debug_options ALL,6 > > shutdown_lifetime 1 seconds > > > > http_port 8080 ssl-bump cert=/usr/local/squid/etc/ssl_cert/Squidtest.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB > > sslcrtd_children 25 startup=5 idle=10 > > > > cache_peer 10.106.3.66 parent 8080 0 no-query no-digest name=parent > > > > never_direct allow all > > > > sslproxy_cert_error allow all > > sslproxy_flags DONT_VERIFY_PEER > > > > ssl_bump bump all > Did you forget to copy at_step acls? acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 > > > http_access allow all > > > > > > ### End config > > > > Thanks for any help! > > Niklas > > > > Azubi Niklas Hess > *Team Applikation-Management* > > *Eigenbetrieb Informationstechnologie des Wetteraukreises* > 61169 Friedberg > Europaplatz > Gebäude B > Tel.: 06031 83-6526 > Mobil: > Fax.: 06031 83-916526 > www.wetteraukreis.de > > Informationen zum Datenschutz erhalten sie über unsere Datenschutzseite > www.datenschutz.wetterau.de > Diese E-Mail enth > ält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie > nicht der richtige Adressat sind, informieren Sie bitte sofort den Absender > und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die > unbefugte Weitergabe dieser E-Mail ist nicht gestattet. > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- - Kedar
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
