Ken Cunningham wrote: > I have finally found and followed a webmin walkthrough on setting up squid on > Ubuntu that worked > <https://doxfer.webmin.com/Webmin/Squid_Basic_Configuration > <https://doxfer.webmin.com/Webmin/Squid_Basic_Configuration>> and thereby > sorted out how to use squid as an http and https proxy server for all the web > traffic between the internal network and the outside web, and that now works > fine. > > However, it seems to just create tunnels and routes existing packets, so the > SSL/TLS level remains the same. It doesn’t actually step in the middle (which > I guess is a good security feature). > > There is a squid feature called "ssl bumping" which seems at least partway to > stepping in the middle — I’m not sure if it will actually do the SSL > translation I am looking for to a higher TLS level, or whether it just reads > the packets and logs them for the employer to keep tabs on employees, but > it’s a step in the right direction I think.
Yes, ssl_bump is exactly the setting you want. See the docs: <http://www.squid-cache.org/Versions/v4/cfgman/ssl_bump.html> There are a few modes of operation you can choose from. The ones of interest for systems that don't support modern TLS versions closely resemble a MITM attack, so clients will of course complain loudly about invalid certificates unless you configure them to trust the proxy. - Josh
