-1

After configuring Squid to perform SSL Bump on HTTPS SSL requests from clients..i want to send this to another proxy that will perform its own MITM and connect to the 'target Server' and return back the information to the client........ What is needed for squid to pass the requests(after ssl bump is performed) to the second proxy?

client(box1)->iptables(box1)->squiq+ssl_bump(box2)->anotherproxy(box3)->targetServer

box1 was updated with iptable rules 

iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to 10.1.1.1.1:8444

box2 has SSL_BUMP configured to listen and decrypt on 8444.. however i am unsure how to configure squid how to pass the descrypted ssl redirect from the ssl_bump...I've tried cache_peer(parent) and squid does not successfully connect to the 'cache_peer(parent)..

Jeryl Cook
  • 99
  • 4
  • What have you tried? What did you expect to happen? What happened instead? What does your config look like? Do you have any log entries from the times it didn't work as expected? – Jenny D Jun 02 '17 at 16:39
  • are you aware that this type of confirmation supported @JennyD ? – Jeryl Cook Jun 02 '17 at 17:08
  • Every time I go back to this question, I am so irritated on the down vote. I clearly explained what I tried, what happened, and what I expected to happen.. – Jeryl Cook Jul 15 '21 at 19:13

1 Answers1

0

I'm pretty sure you can't specify a downstream proxy server in squid.conf if you are using SslBump (or I couldn't when I used it with Squid 3.4.??). I'm guessing the way you could do this is set up another transparent https/SslBump iptables/squid as you have in your example:

client(box1)->iptables(box2)->squid+ssl_bump(box3)->ANOTHER_IPTABLES(box4)->anotherproxy+ssl_bump(box5)->targetServer

with box4 redirecting all 443TCP traffic to box5 port 8884 (your https squid intercept port)

But do you really need to do this? Its looking over complicated to me.

BTW if you are using iptables (eg box2) as a router, you can run squid+ssl_bump on it too to save on boxes.

Jim ReesPotter
  • 308
  • 2
  • 10
  • its called 'upstream'(forwarding to a cache_peer parent), not 'downstream' its possible with HTTP easily example: https://stackoverflow.com/questions/19199424/squid-forward-to-another-proxy-with-authentication-details-for-the-parent-prox in my case my squid is listening and ssl_bump on 8444..i have another proxy server(on 8440) configured as a cache_parent but its not working. – Jeryl Cook Jun 09 '17 at 18:01
  • 1
    Sorry, upstream yes. I found this on the squid forum from a couple fo years ago:Squid can: A) relay CONNECT message from client to any upstream proxy. B) generate CONNECT message on arriving intercepted HTTPS and relay that to upstream proxy *IF* (and only if) ssl_bump selects the 'splice' action. C) relay https:// URLs to an upstream TLS proxy. That is all at present. Squid cannot (yet) generate CONNECT messages to try and fetch TLS details via a non-TLS cache_peer. -- So does your setup fit B or C? – Jim ReesPotter Jun 13 '17 at 15:10