On 23/11/23 23:05, Andrea Venturoli wrote:

I've got the following config:

http_port 8080 ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB https_port 3129 intercept ssl-bump cert=/usr/local/etc/squid/proxyCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
ssl_bump splice !bumphosts
ssl_bump splice splicedom
ssl_bump peek step1
ssl_bump bump all

So I've got port 8080 where proxy-aware client connect and 3129, which is feeded intercepted https connection by ipfw.

Problem is: if a client connects explicitly via proxy (port 8080) it gets SSLBumped; if a client simply connects to its destination https port (so directed to 3129) it is tunneled.

Anything wrong in my config?

FYI, Intercepted traffic first gets interpreted as a CONNECT tunnel to the TCP dst-IP:port and processed by http_access to see if the client is allowed to make that type of connection.

To guess based on the info provided above I suspect that the fake-CONNECT raw-IP does not match your "bumphosts" ACL test. Causing that "ssl_bump splice !bumphosts" to occur.

That behaviour is why we typically recommend doing "peek" first, then the splice checks can be based on whatever TLS SNI value is found.

For further assistance please also show your http_access and ACL config lines. They will be needed for a better analysis of what is going on.

I think it worked in the past: has anything changed in this regard with Squid 6?

Changed since what version? Over time a lot of small changes can add up to large differences.

squid-users mailing list

Reply via email to