Question regarding TPROXY and sslBump

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding TPROXY and sslBump

Felipe Arturo Polanco
Hi,

Can squid running in TPROXY mode intercept and decrypt HTTPS payload with sslBump?

This is for an in-line Layer 2 proxy application.

Thanks,

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding TPROXY and sslBump

Amos Jeffries
Administrator
On 15/02/20 10:28 am, Felipe Polanco wrote:
> Hi,
>
> Can squid running in TPROXY mode intercept and decrypt HTTPS payload
> with sslBump?
>

Maybe. It can do so about as well as NAT intercept mode can.

Wherther TPROXY works depends on what level of access you have to
control the TCP packet routing.

Whether SSL-Bump can decrypt depends on what TLS features are being used
by the HTTPS traffic - and whether it is HTTPS at all.

These things are only loosely related.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding TPROXY and sslBump

Felipe Arturo Polanco
Thanks for the reply,

Speaking strictly about TPROXY, are there any limitations compared to regular transparent intercept?

We have full control of the network and TCP routing.

We have done regular https intercept in the past and is working fine, but now we would like to try TPROXY in bridging mode instead of routing mode.

Thanks,

On Sat, Feb 15, 2020 at 3:17 AM Amos Jeffries <[hidden email]> wrote:
On 15/02/20 10:28 am, Felipe Polanco wrote:
> Hi,
>
> Can squid running in TPROXY mode intercept and decrypt HTTPS payload
> with sslBump?
>

Maybe. It can do so about as well as NAT intercept mode can.

Wherther TPROXY works depends on what level of access you have to
control the TCP packet routing.

Whether SSL-Bump can decrypt depends on what TLS features are being used
by the HTTPS traffic - and whether it is HTTPS at all.

These things are only loosely related.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding TPROXY and sslBump

Amos Jeffries
Administrator
On 16/02/20 2:58 am, Felipe Polanco wrote:
> Thanks for the reply,
>
> Speaking strictly about TPROXY, are there any limitations compared to
> regular transparent intercept?

I assume that by "regular transparent intercept" you mean NAT intercept.

The primary difference between TPROXY and NAT ... is that NAT is *not*
"transparent". All the differences derive from that.

To use TPROXY the machine running it must have the ability to spoof IPs
on packets outgoing from Squid and to properly deliver them afterwards.
This primarily affects Squid hosted in cloud services where that
low-level control is not permitted or quite difficult.

The problems NAT introduces by having a different IP address on traffic
arriving at servers largely disappear. But all other issues related to
middleware touching the messages in transit remain the same.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users