Squid ssl-bump



  • The short question: Can Squid be configured to perform ssl-bump on a single domain? I don't want to bump/filter/cache all SSL domains–just one in particular.

    The long explanation:

    The network I administer is on a slow point-to-point Wi-Fi link and relies heavily on a hosted web app that, for obvious reasons, is served via SSL.

    I have Squid set up running transparent proxy on all http traffic, working very well.

    The web app in question is accessed by a limited number of kiosk systems, all running Firefox. The speed and availability of this web app is very important.

    Unfortunately I was not well-involved in the decision making process before deploying this app, or else I would have brought up our ISP's limits, but I digress.

    Basically, I'm interested in caching everything from this one domain via ssl-bump. I know it will raise cert errors on the clients, but I can manually store exceptions with no headache.

    Even more ideal, I would like to set this ssl-bump rule on its own listening port, so I can manually configure the clients' proxy to use it. Meaning, if a client accesses the app's domain from the transparent proxy, it's not bumped. If a client accesses the app domain from the manual proxy, it is bumped. That way I have very fine grained control over who gets ssl errors.

    Thank you very much in advance for any help!



  • So, upon more careful inspection of the Squid docs, it looks like ssl-bump is only available in version >3.1. However, the Squid package for pfsense is 2.7.

    Is there a relatively painless* way to do an in-place upgrade?

    *By "relatively painless", I mean something that wouldn't warrant huge downtime or risk of failure or damage to system.



  • Hi,

    pfsense offers a squid3 version which is squid 3.1. There is no newer version on FreeBSD ports (3.2 or 3.3).
    Further forum user marcelloc is working on a web GUI based ssl-bump feature but he needs some more time and donations. There is a thread on the forum I do not have at the moment.

    Further a suggestion:
    If you use transparent proxy then all http (80) traffic will be redirected automatically through squid. But nevertheless squid is listening on the basic port 3128. If I am not wrong then you could enter the proxy URL and Port on your Kiosk machines and then they will redirect http/https (80/443) through squid. So no need to do this "transparently".

    If you cannot enter the proxy in the firefox webbrowser then you can try to do that with wpad or proxy.pac.
    If I understand you correct you do not need this for security reasons but "just" for caching websites which are using https or to be more clear just this one web app. right?

    This is just a suggestion - perhaps it could help you.



  • @Nachtfalke:

    Further forum user marcelloc is working on a web GUI based ssl-bump feature but he needs some more time and donations. There is a thread on the forum I do not have at the moment.

    It's here http://forum.pfsense.org/index.php/topic,58368.0.html :)


Log in to reply