For a while we were waiting for Squid 3.2.x to be release as a stable version of Squid. Finally, it did. But, a small portion of community (including us) were expecting that bug related to using parent proxy with ssl bumping would be resolved. But, it didn’t ( http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss1.1 ) and it will not be till Squid 3.3.
Let me give a brief history about this bug:
- First, the bug was introduced. People using SSL Bumping were not be able to use parent proxies.
- This bug is fixed. People had started to be able to use SSL Bumping with parent proxies.
- Bug, this had introduced a new bug. Squid was sending request to parent proxy as a clear text proxy request. Terminates SSL connection with client and send data to parent proxy unsecured. In fact, Squid was not able to re-encapsulate request into CONNECT method.
- This was a serious security problem if your network between your Squid and parent proxy is not secured. So, Squid team decided to disable SSL Bumping with parent proxies problematically.
- ..and we have came to today.
PS: As far as I know, this is summary of this bug’s history. If I have a mistake, please let me know.
But, our users expecting some solution from us. And we decided that we should go one step backwards, return to state that SSL Bumping and parent proxies are working, but in a unsecured way. We have decided to warn system administrators to secure the line between parent proxy and our new Squid release (Only if they are using parent proxy for HTTPS of course). We commented out the restriction lines for this case (https://github.com/hkerem/squid3-ssl/blob/master/debian/patches/60-peer-sslbump-accept.dpatch)
Checkout our latest Squid SSL package from our repositories (http://www.mydlp.com/now-squid3-ssl-packages-in-mydlp-repository/).
After this point, please comment out this line:
#always_direct allow all
And add these lines to /etc/squid3/squid.conf:
cache_peer your.parent.proxy parent 8080 0 no-query no-digest
never_direct allow all
After reloading Squid, it will start to use this parent proxy for all protocols including HTTPS.
CAUTION: If you are using parent proxies when SSL Bumping is enabled, you should secure your communication line between your parent proxy and Squid. Otherwise, your system will impose a serious security risk.