On 07/28/2013 05:21 PM, Amos Jeffries wrote: > On 29/07/2013 2:30 a.m., Eliezer Croitoru wrote: >> On 07/28/2013 03:37 PM, csn233 wrote: >>> To intercept HTTPS traffic, is SSL-bump a must? Even when I only want >>> to record the CONNECT traffic in access.log just like a normal forward >>> proxy without decrypting anything? >>> >>> Is this any different with TPROXY? >>> >> Indeed SSL-bump is a must.. >> You will be able to record the CONNECT traffic when using: >> "sslbump deny all" like acl.
ssl_bump none all You will not be decrypting or bumping any traffic with this, but you will be using a little bit of code introduced by the SslBump-related projects. > Beyond the minor fact that there should be *no* CONNECT traffic on > intercepted port 80 or port 443 because CONNECT is a client-to-proxy > request method - which should only be seen on port 3128 or similar HTTP > proxy ports. To be more precise, there are actually a few CONNECT requests inside real-world intercepted traffic, but a non-bumping Squid which assumes that the traffic is SSL will not see any of those CONNECTS as it will blindly forward them to where they were going. > The current releases of Squid (3.3.8 and 3.4.0.1) should take > intercepted port-443 traffic and relay it untouched if there is no > decrypting done. They may convert it into a CONNECT if the traffic needs > relaying to a cache_peer, but otherwise it is just tunneled along to the > original destination server. Please note that tunneling intercepted but not bumped traffic through cache_peers (via CONNECT) is officially supported only in v3.4 (added as trunk r12905 dated 2013-06-10). HTH, Alex.
