Created
June 18, 2019 06:23
-
-
Save HouzuoGuo/5becdf602eab2e7e2b5990659e1dc5f9 to your computer and use it in GitHub Desktop.
Squid HTTPS proxy - non-transparent proxy inspects TLS destination server name via SNI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| debug_options ALL,2 | |
| coredump_dir /var/spool/squid | |
| pid_filename /var/run/squid-https.pid | |
| access_log /var/log/squid/access.log | |
| cache_log /var/log/squid/cache.log | |
| # Avoid interfering with timeout behaviour of TCP client applications | |
| # The timeout values are 10x their default | |
| shutdown_lifetime 10 seconds | |
| connect_timeout 10 minutes | |
| write_timeout 150 minutes | |
| dns_timeout 5 minutes | |
| read_timeout 150 minutes | |
| # Do not ever close an outstanding TCP connection that is not subjected to other timeout condition | |
| client_lifetime 3650 days | |
| http_access deny manager | |
| # HTTP ACLs only allow TLS traffic | |
| acl allowed_port port 443 | |
| http_access deny !allowed_port | |
| acl ssl_ports port 443 | |
| acl CONNECT method CONNECT | |
| http_access deny CONNECT !ssl_ports | |
| # HTTP ACLs are not concerned with TLS server name white-list | |
| http_access allow all | |
| # TLS ACLs only allow traffic destined to white-listed server names | |
| acl tls_hello at_step SslBump1 | |
| acl allowed_server_names ssl::server_name_regex -i ^.*$ | |
| ssl_bump peek tls_hello | |
| ssl_bump splice allowed_server_names | |
| ssl_bump terminate all | |
| # The self-signed certificate is not involved at all, but Squid configuration syntax checker asks for it. | |
| http_port 3130 ssl-bump cert=/etc/squid/dummy-squid-cert.pem |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment