Re: [squid-users] Only checking URLs via Squid for SSL

2014-08-25 Thread Eliezer Croitoru
The same effect will happen in a case that the Common Name on the 
certificate is invalid and includes all sorts of unrecognized characters 
such as *.


Eliezer

On 08/24/2014 02:29 PM, Amos Jeffries wrote:

If the browser does not trust the signing CA it will warn.

Amos




Re: [squid-users] Only checking URLs via Squid for SSL

2014-08-24 Thread Amos Jeffries
On 24/08/2014 9:32 p.m., Nicolás wrote:
 Hi Amos,
 
 El 24/08/2014 0:52, Amos Jeffries escribió:
 On 24/08/2014 1:00 a.m., Nicolás wrote:
 Hi,

 I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP,
 but I'd like to avoid cacheing HTTPS sites, and just determine whether
 the requested URL is listed as denied on Squid (via 'acl dstdom_regex'
 for instance), otherwise just make squid act as a proxy to the URL's
 content. Is that even possible without using SSL Bump? Otherwise, could
 you recommend the simplest way of achieving this?

 No it is only possible with bumping. For transparent interception of
 port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum,
 preferrably squid-3.5 with peek-n-splice when it comes out.

 If you bump and still do not want to cache for some reason the cache
 access control can be used like so:

acl HTTPS proto HTTPS
cache deny HTTPS


 Amos

 
 I finally installed Squid 3.4.6 from source with --enable-ssl and
 --enable-ssl-crtd options and put the corresponding configuration line
 for ssl-bump:
 
 https_port 0.0.0.0:3130 intercept ssl-bump
 cert=/opt/certs/server.crt key=/opt/certs/server.key
 
 This cert is self-signed and evidently it produces the
 'sec_error_untrusted_issuer' error on the clients' browsers. Would that
 warning desappear if I used a recognized CA to sign that cert that would
 match the Squid box's FQDN, or is the installation of the autosigned
 cert on every client's browser the only option here?

If the browser does not trust the signing CA it will warn.

Amos


Re: [squid-users] Only checking URLs via Squid for SSL

2014-08-23 Thread Amos Jeffries
On 24/08/2014 1:00 a.m., Nicolás wrote:
 Hi,
 
 I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP,
 but I'd like to avoid cacheing HTTPS sites, and just determine whether
 the requested URL is listed as denied on Squid (via 'acl dstdom_regex'
 for instance), otherwise just make squid act as a proxy to the URL's
 content. Is that even possible without using SSL Bump? Otherwise, could
 you recommend the simplest way of achieving this?
 

No it is only possible with bumping. For transparent interception of
port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum,
preferrably squid-3.5 with peek-n-splice when it comes out.

If you bump and still do not want to cache for some reason the cache
access control can be used like so:

  acl HTTPS proto HTTPS
  cache deny HTTPS


Amos