Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSLBUMP without MITM

    Scheduled Pinned Locked Moved Cache/Proxy
    58 Posts 11 Posters 26.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doktornotor Banned
      last edited by

      Not using Telegram or Instagram (or Facebook, or Twitter). Will be of no help there. Maybe someone else.

      1 Reply Last reply Reply Quote 0
      • S
        shonjir
        last edited by

        @doktornotor:

        Apparently it wouldn't, because it's already there (twice - at the checkbox info and at the textarea info), but you still didn't read it.  :P (Try clicking the blue "i")

        Actually I did read them, but the descriptions didn't seem to be fully clear to me.  ???

        I do appreciate the updates however - they're working great.  8)

        1 Reply Last reply Reply Quote 0
        • K
          kopraasbotha
          last edited by

          Hi All, please can someone explain which settings on the GUI I should change to be able to do same SSLbump without MITM like the OP? I too don't want any certs on clients but want to block HTTPS sites.

          BismarckB 1 Reply Last reply Reply Quote 0
          • BismarckB
            Bismarck @kopraasbotha
            last edited by

            @kopraasbotha

            aec3f373-cb7d-4e75-8484-130662f5ad20-image.png

            Just set Splice All, thats it.

            K 1 Reply Last reply Reply Quote 0
            • K
              kopraasbotha @Bismarck
              last edited by

              @Bismarck, I've tried this. There are still so many SSL cert errors on the workstations. Are there any other fine-tuning I could do?
              2139effc-19f4-478b-8699-a5b8c569839d-image.png

              BismarckB 1 Reply Last reply Reply Quote 0
              • BismarckB
                Bismarck @kopraasbotha
                last edited by

                @kopraasbotha said in SSLBUMP without MITM:

                SSL cert errors

                There should none, what kind of SSL cert errors you get, example?

                K 1 Reply Last reply Reply Quote 0
                • K
                  kopraasbotha @Bismarck
                  last edited by

                  @Bismarck thanks for the quick reply. I get the below:

                  c5ddaff5-6ddc-4118-a770-68eabc625d28-image.png

                  BismarckB 1 Reply Last reply Reply Quote 0
                  • BismarckB
                    Bismarck @kopraasbotha
                    last edited by

                    @kopraasbotha

                    This looks like SslBump and not like SpliceAll, to me but I'm not a real Sqiud "Pro" tbh.

                    Do you have any custom config setup?

                    Please post the "# SslBump Peek and Splice" part of your /usr/local/etc/squid/squid.conf

                    K 1 Reply Last reply Reply Quote 0
                    • K
                      kopraasbotha @Bismarck
                      last edited by

                      @Bismarck i didn't add any custom config. Here's the "sslbump peek and splice" config:

                      acl step1 at_step SslBump1
                      acl step2 at_step SslBump2
                      acl step3 at_step SslBump3
                      acl allowed_subnets src 10.11.0.0/21 10.0.0.0/24
                      acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
                      http_access allow manager localhost

                      http_access deny manager
                      http_access allow purge localhost
                      http_access deny purge
                      http_access deny !safeports
                      http_access deny CONNECT !sslports

                      BismarckB 1 Reply Last reply Reply Quote 0
                      • BismarckB
                        Bismarck @kopraasbotha
                        last edited by

                        @kopraasbotha

                        Yep, your config is SslBump and not Splice, but dunno why. Maybe some more expert can chime in.

                        https://wiki.squid-cache.org/Features/SslPeekAndSplice

                        K 1 Reply Last reply Reply Quote 0
                        • K
                          kopraasbotha @Bismarck
                          last edited by

                          @Bismarck ,thanks for the help. I saw the ssl_bumps just underneath "custom options before auth" but there's a 2 line space between this section and the config so not sure if it's part of it.

                          Custom options before auth

                          acl sglog url_regex -i sgr=ACCESSDENIED
                          http_access deny sglog
                          ssl_bump peek step1
                          ssl_bump splice all

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.