On 16/08/18 19:34, David Touzeau wrote:
> Thanks Amos for details.
>
> Working like a charm now.
>
> Instead of sending https://192.168.1.122:443/myguard.php?rule-id=0&;....
>
> Helper sends 192.168.1.122:443
>
That is only useful if the server at that IP:port can present the client
with a TLS certificate valid for the server the client thinks it is
connected to. ie all the SSL-Bump equivalent logics are in that server.
In which case there is likely no point to having the traffic NAT'ed to
Squid. Just have your NAT and/or routing send it directly into that server.
>
> " url_rewrite_access deny CONNECT" is not a solution because, everything
> using SSL today ( thanks to Google that wants to encrypt all the Net and make
> proxies/Firewall/ICAP unusable ) and many Porn/Malwares/Hacking/Hacked
> websites using SSL.
>
If you are SSL-Bump'ing in Squid then you need to not rewrite the
initial CONNECT message (or two) - doing so will interfere the server
which bumping is interacting with.
IIRC the at_step ACL type can be used in the *_access rules as well to
skip ("deny CONNECT foo") the helper query until the ssl_bump processing
is expected to be completed.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
