Re: [squid-users] Only checking URLs via Squid for SSL
The same effect will happen in a case that the Common Name on the certificate is invalid and includes all sorts of unrecognized characters such as "*". Eliezer On 08/24/2014 02:29 PM, Amos Jeffries wrote: If the browser does not trust the signing CA it will warn. Amos
Re: [squid-users] Only checking URLs via Squid for SSL
On 24/08/2014 9:32 p.m., Nicolás wrote: > Hi Amos, > > El 24/08/2014 0:52, Amos Jeffries escribió: >> On 24/08/2014 1:00 a.m., Nicolás wrote: >>> Hi, >>> >>> I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP, >>> but I'd like to avoid cacheing HTTPS sites, and just determine whether >>> the requested URL is listed as denied on Squid (via 'acl dstdom_regex' >>> for instance), otherwise just make squid act as a proxy to the URL's >>> content. Is that even possible without using SSL Bump? Otherwise, could >>> you recommend the simplest way of achieving this? >>> >> No it is only possible with bumping. For transparent interception of >> port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum, >> preferrably squid-3.5 with peek-n-splice when it comes out. >> >> If you bump and still do not want to cache for some reason the cache >> access control can be used like so: >> >>acl HTTPS proto HTTPS >>cache deny HTTPS >> >> >> Amos >> > > I finally installed Squid 3.4.6 from source with --enable-ssl and > --enable-ssl-crtd options and put the corresponding configuration line > for ssl-bump: > > https_port 0.0.0.0:3130 intercept ssl-bump > cert=/opt/certs/server.crt key=/opt/certs/server.key > > This cert is self-signed and evidently it produces the > 'sec_error_untrusted_issuer' error on the clients' browsers. Would that > warning desappear if I used a recognized CA to sign that cert that would > match the Squid box's FQDN, or is the installation of the autosigned > cert on every client's browser the only option here? If the browser does not trust the signing CA it will warn. Amos
Re: [squid-users] Only checking URLs via Squid for SSL
Hi Amos, El 24/08/2014 0:52, Amos Jeffries escribió: On 24/08/2014 1:00 a.m., Nicolás wrote: Hi, I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP, but I'd like to avoid cacheing HTTPS sites, and just determine whether the requested URL is listed as denied on Squid (via 'acl dstdom_regex' for instance), otherwise just make squid act as a proxy to the URL's content. Is that even possible without using SSL Bump? Otherwise, could you recommend the simplest way of achieving this? No it is only possible with bumping. For transparent interception of port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum, preferrably squid-3.5 with peek-n-splice when it comes out. If you bump and still do not want to cache for some reason the cache access control can be used like so: acl HTTPS proto HTTPS cache deny HTTPS Amos I finally installed Squid 3.4.6 from source with --enable-ssl and --enable-ssl-crtd options and put the corresponding configuration line for ssl-bump: https_port 0.0.0.0:3130 intercept ssl-bump cert=/opt/certs/server.crt key=/opt/certs/server.key This cert is self-signed and evidently it produces the 'sec_error_untrusted_issuer' error on the clients' browsers. Would that warning desappear if I used a recognized CA to sign that cert that would match the Squid box's FQDN, or is the installation of the autosigned cert on every client's browser the only option here? Thanks!
Re: [squid-users] Only checking URLs via Squid for SSL
On 24/08/2014 1:00 a.m., Nicolás wrote: > Hi, > > I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP, > but I'd like to avoid cacheing HTTPS sites, and just determine whether > the requested URL is listed as denied on Squid (via 'acl dstdom_regex' > for instance), otherwise just make squid act as a proxy to the URL's > content. Is that even possible without using SSL Bump? Otherwise, could > you recommend the simplest way of achieving this? > No it is only possible with bumping. For transparent interception of port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum, preferrably squid-3.5 with peek-n-splice when it comes out. If you bump and still do not want to cache for some reason the cache access control can be used like so: acl HTTPS proto HTTPS cache deny HTTPS Amos
[squid-users] Only checking URLs via Squid for SSL
Hi, I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP, but I'd like to avoid cacheing HTTPS sites, and just determine whether the requested URL is listed as denied on Squid (via 'acl dstdom_regex' for instance), otherwise just make squid act as a proxy to the URL's content. Is that even possible without using SSL Bump? Otherwise, could you recommend the simplest way of achieving this? Thanks
