My apologies, that config snippet was not correct.
Besides I've managed to configure it using localport acl's to detect which port
the request came in on and bump accordingly. Not sure if this is the best way.
Thanks for listening.
For info for anyone else interested
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl connectport localport 3128
http_port 10.0.0.36:3129 intercept
https_port 10.0.0.36:3130 intercept ssl-bump \
cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 10.0.0.36:3128 ssl-bump \
cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
http_access allow localnet
http_access allow localhost
http_access deny all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump bump connectport
ssl_bump peek all
ssl_bump splice all
Cheers
Graham
From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of
Graham Wharton
Sent: 04 September 2021 11:44
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Configuring SSL Bump on CONNECT, but no SSL Bump on
Transparent
Hi all,
Squid 3.5.20
I am attempting to configure the following
Port 3128 = Accepts CONNECT requests with SSL Bump for all sites
Port 3129 = HTTP port for transparent proxy
Port 3130 = HTTPS port for transparent proxy - NO SSL Bump, all sites should
always TUNNEL
Is the above config possible?
The relevant sections of my config are
#TANSPARENT
http_port 10.0.0.36:3129
https_port 10.0.0.36:3130
#CONNECT
http_port 10.0.0.36:3128 ssl-bump \
cert=/etc/squid/ssl_cert/squid-ca-cert.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
#Permissions
http_access allow localnet
http_access allow localhost
http_access deny all
##Steps
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
#Bump Rules
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
All appears to work correctly, apart from transparent connections for HTTPS.
These are getting bumped.
According to the logs
2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(218) doAccept: New connection
on FD 30
2021/09/04 10:38:54.129 kid1| 5,2| TcpAcceptor.cc(293) acceptNext: connection
on local=10.0.0.36:3130 remote=[::] FD 30 flags=41
2021/09/04 10:38:54.129 kid1| 33,2| client_side.cc(3920)
httpsSslBumpAccessCheckDone: sslBump needed for local=142.250.187.196:443
remote=10.0.1.254:51928 FD 12 flags=33 method 3
Looking at the code, it would appear that because the destination is ALLOWED
for the ssl_bump acl, the connection is automatically upgraded to ssl_bump by
the httpsSslBumpAccessCheckDone function. But this isn't what I want. I want
ssl_bump to be completely disabled on my transparent proxy, I only wan to bump
connections for connections that have explicitly set their proxy.
Any suggestions on how to overcome this, apart from running two copies of squid.
Thanks in advance
Graham Wharton
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
