On 07/28/2013 05:21 PM, Amos Jeffries wrote:
> On 29/07/2013 2:30 a.m., Eliezer Croitoru wrote:
>> On 07/28/2013 03:37 PM, csn233 wrote:
>>> To intercept HTTPS traffic, is SSL-bump a must? Even when I only want
>>> to record the CONNECT traffic in access.log just like a normal forward
>>> proxy without decrypting anything?
>>>
>>> Is this any different with TPROXY?
>>>
>> Indeed SSL-bump is a must..
>> You will be able to record the CONNECT traffic when using:
>> "sslbump deny all" like acl.
ssl_bump none all
You will not be decrypting or bumping any traffic with this, but you
will be using a little bit of code introduced by the SslBump-related
projects.
> Beyond the minor fact that there should be *no* CONNECT traffic on
> intercepted port 80 or port 443 because CONNECT is a client-to-proxy
> request method - which should only be seen on port 3128 or similar HTTP
> proxy ports.
To be more precise, there are actually a few CONNECT requests inside
real-world intercepted traffic, but a non-bumping Squid which assumes
that the traffic is SSL will not see any of those CONNECTS as it will
blindly forward them to where they were going.
> The current releases of Squid (3.3.8 and 3.4.0.1) should take
> intercepted port-443 traffic and relay it untouched if there is no
> decrypting done. They may convert it into a CONNECT if the traffic needs
> relaying to a cache_peer, but otherwise it is just tunneled along to the
> original destination server.
Please note that tunneling intercepted but not bumped traffic through
cache_peers (via CONNECT) is officially supported only in v3.4 (added as
trunk r12905 dated 2013-06-10).
HTH,
Alex.
Received on Mon Jul 29 2013 - 01:29:15 MDT
This archive was generated by hypermail 2.2.0 : Mon Jul 29 2013 - 12:00:33 MDT