Re: [squid-users] Squid SSL Bump transparently CONNECT for another proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 08 Jun 2014 14:20:50 +1200

On 8/06/2014 10:03 a.m., Jatin Bhasin wrote:
> Hello,
>
> 1) I have to bump the SSL request because I want to pass the decrypted
> traffic to the eCap adapter so that I can look for viruses in the
> traffic and block them if found.
>
> 2) I cannot inroduce Proxy1 in the client browser. The only option I
> have is PROXY1 sitting in the middle of Client and PROXY2 and then
> PROXY1 should decrypt the traffic and send it to the ecap adapter for
> virus checking and block them.

Okay so far so good.

Use intercept rules in the PROXY1 machines networking stack *without*
the intercept flag in squid.conf. PROXY1 does not have to do any network
level un-NAT hacks to process requests destined explicitly to itself or
any other HTTP proxy.

You may encounter problems getting the decoded traffic back to PROXY2
though. The released Squid versions do not yet generate CONNECT requests
for upsream unless one is intercepting port 443 traffic and *bypassing*
the ssl-bump.
 PROXY1 will try to use port 443 HTTPS itself.

Amos
Received on Sun Jun 08 2014 - 02:21:04 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 12:00:04 MDT