Hi Amos,

El 24/08/2014 0:52, Amos Jeffries escribió:
On 24/08/2014 1:00 a.m., Nicolás wrote:

I'm using Squid 3.3.8 as a transparent proxy, it works fine with HTTP,
but I'd like to avoid cacheing HTTPS sites, and just determine whether
the requested URL is listed as denied on Squid (via 'acl dstdom_regex'
for instance), otherwise just make squid act as a proxy to the URL's
content. Is that even possible without using SSL Bump? Otherwise, could
you recommend the simplest way of achieving this?

No it is only possible with bumping. For transparent interception of
port 443 (HTTPS) use squid-3.4 with server-first bumping at minimum,
preferrably squid-3.5 with peek-n-splice when it comes out.

If you bump and still do not want to cache for some reason the cache
access control can be used like so:

   acl HTTPS proto HTTPS
   cache deny HTTPS


I finally installed Squid 3.4.6 from source with --enable-ssl and --enable-ssl-crtd options and put the corresponding configuration line for ssl-bump:

https_port intercept ssl-bump cert=/opt/certs/server.crt key=/opt/certs/server.key

This cert is self-signed and evidently it produces the 'sec_error_untrusted_issuer' error on the clients' browsers. Would that warning desappear if I used a recognized CA to sign that cert that would match the Squid box's FQDN, or is the installation of the autosigned cert on every client's browser the only option here?


Reply via email to