Does SSL bumping work with parent proxy? squid
and pf
are set up like this:
squid.conf
:
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on key=/usr/local/etc/squid/ssl/squid.key cert=/usr/local/etc/squid/ssl/squid.pem
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
ssl_bump client-first none
ssl_bump server-first all
cache_peer proxy.office.com parent 8080 0 login=user:password
pf.conf
rdr pass on lo0 proto tcp from any to any port 80 -> 127.0.0.1 port 3128
rdr pass on lo0 proto tcp from any to any port 443 -> 127.0.0.1 port 3129
pass out on en0 route-to lo0 inet proto tcp from any to any port 80 keep state
pass out on en0 route-to lo0 inet proto tcp from any to any port 443 keep state
squid
version:
Squid Cache: Version 3.2.9
configure options: '--disable-debug' '--disable-dependency-tracking' '--prefix=/usr/local/Cellar/squid/3.2.9' '--localstatedir=/usr/local/var' '--enable-ssl' '--enable-ssl-crtd' '--disable-eui' '--enable-ipfw-transparent' 'CC=cc' 'CXX=c++' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Library/ENV/pkgconfig/10.8'
Everything works fine for HTTP but HTTPS connections raise 1372080519.323 0 172.17.244.135 NONE/400 3998 NONE error:invalid-request - HIER_NONE/- text/html
in cache.log
. Parent proxy works if set as HTTPS proxy in browsers.
Best Answer
Need 3 lines in there:
Point your browser HTTP and SSL proxy to 3128 and it should work. Anytime it gets a secure CONNECT request, it goes down the line to 3130 for https. No other firewall entries needed since it is all internal with squid.