[squid-users] Capabilities of Squid as SSL MITM�

From: A G <utopian201_at_hotmail.com>
Date: Fri, 22 Jun 2012 04:34:55 +1200

Hi
I am trying to set up squid as a transparent ssl mitm proxy. The
users behind the proxy understand they have no expectation of privacy.
Also each computer behind the proxy has trusted the organisation
certificate.

After several days of research, what I would like to know is:
1. http_port intercept means squid will place its own ip in the packet sent to the destination. Is this correct?

2. http_port tproxy means squid will preserve the client's ip in the packet sent to the destination, is this correct?

3.
 Does ssl bump work only with CONNECT messages? ie clients must have
their browser set to use squid as a proxy. But
http://wiki.squid-cache.org/Features/SslBump also says it can mitm
transparently redirected SSL traffic. So ssl bump works in
'transparent/intercept' mode; I have seen many guides such as
http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/
 combining ssl bump with transparent/intercept.

4. What is the
point of using http_port (xyz) ssl-bump if port xyz cannot receive ssl
traffic? Wouldn't ssl-bump ONLY be used with https_port, not http_port?

5.
 After all this, is it possible to use tproxy with ssl-bump? That is, do
 SSL man in the middle whilst preserving the client's IP address? The
clients have all trusted the organisation CA that will be used by Squid.
 
http://squid-web-proxy-cache.1019090.n4.nabble.com/about-https-support-for-transparent-proxy-td1048478.html
 says it can't, but this message was from three years ago.

All of
 the examples I have seen use intercept with ssl-bump, not with tproxy.
Or are there other options (squid or otherwise) which will allow
transparent/tproxy ssl proxying?

Thanks
Received on Thu Jun 21 2012 - 16:35:02 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 22 2012 - 12:00:03 MDT