Proxy Chaining with ssl_bump

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Proxy Chaining with ssl_bump

chgerber
I have a squid 3.5 as forward proxy that does ssl_bump by default.
Some traffic I need to forward in addition to a second proxy by proxy
chaining. The following configuration works for HTTP traffic but not
with HTTPS. I found out through
https://www.spinics.net/lists/squid/msg84767.html that this is because
Squid 3.5 is not capable of doing ssl_bump + proxy chaining because
the first proxy in the chain won't send a CONNECT after ssl_bump was
performed. My question is:

1. Is this finding still up-to-date , saying that Squid 3.5 does not
support ssl_bump + proxy chaining. How is it for Squid 4?

squid.conf snippet doing proxy chaining:

ssl_bump bump group_default
acl forward_group dstdomain .dropbox.com
cache_peer forward.domain.com parent 8080 0 no-query default
cache_peer_access forward.domain.com allow forward_group
never_direct allow forward_group
never_direct deny all


--
Christof Gerber
Email: [hidden email]
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Proxy Chaining with ssl_bump

Amos Jeffries
Administrator
On 6/12/18 1:03 am, Christof Gerber wrote:

> I have a squid 3.5 as forward proxy that does ssl_bump by default.
> Some traffic I need to forward in addition to a second proxy by proxy
> chaining. The following configuration works for HTTP traffic but not
> with HTTPS. I found out through
> https://www.spinics.net/lists/squid/msg84767.html that this is because
> Squid 3.5 is not capable of doing ssl_bump + proxy chaining because
> the first proxy in the chain won't send a CONNECT after ssl_bump was
> performed. My question is:
>
> 1. Is this finding still up-to-date , saying that Squid 3.5 does not
> support ssl_bump + proxy chaining. How is it for Squid 4?

The situation is better and constantly being improved. But the official
releases are still not doing CONNECT to upstream peers in the case where
traffic is fully decrypted by the first proxy. Only the cases where
decryption is avoided with splice or on_unsupported_protocol tunnel's.

IIRC Measurement Factory had an experimental git branch to add CONNECT
over non-TLS/SSL peers. I'm not sure what the status is on that now, it
has not been submitted for merge auditing yet.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Proxy Chaining with ssl_bump

Alex Rousskov
In reply to this post by chgerber
On 12/5/18 5:03 AM, Christof Gerber wrote:
> I found out through
> https://www.spinics.net/lists/squid/msg84767.html that this is because
> Squid 3.5 is not capable of doing ssl_bump + proxy chaining

> 1. Is this finding still up-to-date , saying that Squid 3.5 does not
> support ssl_bump + proxy chaining. How is it for Squid 4?

Forwarding most SslBump-related connections to peers is still
unsupported in official Squids, including Squid v3 and v4. Unofficial
Factory code that implements this feature is available for testing at

https://github.com/measurement-factory/squid/tree/SQUID-360-peering-for-SslBump

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users