Re: [squid-users] Transparent HTTP Proxy and SSL-BUMP feature

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 03 Dec 2011 05:25:47 +1300

On 3/12/2011 1:02 a.m., Maret Ludovic wrote:
> Hi there !
>
> I want to configure a transparent proxy for HTTP and SSL. HTTP works
> pretty well but i'm stuck with SSL even if i use the ssl-bump feature.
>
> Right now, it almost works if i use 2 differents ports for the http_port
> & https_port :
>
> http_port 3129 transparent
> https_port 3130 ssl-bump cert=/etc/squid/ssl_cert/partproxy01-test.pem
> key=/etc/squid/ssl_cert/private/partproxy01-key-test.pem
>
> HTTP is ok, i get the warning about a probable man-in-the-middle attack
> when i tried to access a SSL web site. I did just add an exception. And
> i get an error : Invalid URL
>
> In the logs, i found :
>
> 1322820580.454 0 10.194.2.63 NONE/400 3625 GET /pki – NONE/- text/html
>
> When i tried to access https://www.switch.ch/pki
> Apparently, squid cut the URL and remove the host.domain part…

No, Squid is not doing anything, that is the problem.
This is how HTTP client->origin request URLs look. The client agent
thinks it is talking directly to the origin, so it uses the partal URL
format. This is part of what the "transparent" or "intercept" flags make
Squid know to look out for and fix up.

>
> When i tried to use CONNECT method and ssl-bump on http_port. I get an
> error in the browser “ssl_error_rx_record_too_long” or
> “ERR_SSL_PROTOCOL_ERROR”
>
> Any clues ?

Somewhere in the OpenSSL documentation lays the meaning of those error
messages.

Amos
Received on Fri Dec 02 2011 - 16:25:56 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 02 2011 - 12:00:01 MST