setting up apache2 (or squid) to serve as an SSL/TLS proxy for older systems?
Joshua Root
jmr at macports.org
Tue Jul 28 07:15:02 UTC 2020
Ken Cunningham wrote:
> I have finally found and followed a webmin walkthrough on setting up squid on Ubuntu that worked <https://doxfer.webmin.com/Webmin/Squid_Basic_Configuration <https://doxfer.webmin.com/Webmin/Squid_Basic_Configuration>> and thereby sorted out how to use squid as an http and https proxy server for all the web traffic between the internal network and the outside web, and that now works fine.
>
> However, it seems to just create tunnels and routes existing packets, so the SSL/TLS level remains the same. It doesn’t actually step in the middle (which I guess is a good security feature).
>
> There is a squid feature called "ssl bumping" which seems at least partway to stepping in the middle — I’m not sure if it will actually do the SSL translation I am looking for to a higher TLS level, or whether it just reads the packets and logs them for the employer to keep tabs on employees, but it’s a step in the right direction I think.
Yes, ssl_bump is exactly the setting you want. See the docs:
<http://www.squid-cache.org/Versions/v4/cfgman/ssl_bump.html>
There are a few modes of operation you can choose from. The ones of
interest for systems that don't support modern TLS versions closely
resemble a MITM attack, so clients will of course complain loudly about
invalid certificates unless you configure them to trust the proxy.
- Josh
More information about the macports-users
mailing list