[squid-users] How to do transparent rewrite with https requests?

[Yves MARTIN]

Hello,

 

Thanks to your answer Alex,
https://ml-archives.squid-cache.org/squid-users/2025-May/027560.html

our team is running a Squid with HTTPS transparent interception and requests
rewrite to cache services since months.

 

With recent OpenSSL v3 introduction in distributions like Debian 13, Python
3 requests or httpx modules (and probably soon more https client) now
complains about missing AKID in squid mimic certificate with [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key
Identifier.

 

We are investigating by adding logging to src/ssl/gadgets.cc and probably
the ssl_bump sequence configured (step1/bump step2/stare step3/bump)
prevents certificate generation to include these extensions.

 

Does this hypothesis sound plausible?

Is there a way to work-around this new issue thanks to configuration, or
patching?

 

Thank you in advance for your help

Best regards,

Yves

 

 

From: Yves MARTIN 
Sent: Tuesday, May 27, 2025 4:37 PM
To: squid-users at lists.squid-cache.org
Subject: How to do transparent rewrite with https requests?

 

Hello,

 

My team expects to transparently rewrite requests through squid, replacing
original URL/hostname by another target URL/host.

 

Main objective is to redirect original HTTPS requests triggered by "docker
pull alpine" to a local mirrored registry without obvious information in
user client that the obtained image comes from mirror: original image
location is preserved, no specific proxy or mirror configuration in docker
client/daemon to set.

 

To do so, we have used squid-urlrewrite and it works well for HTTP request,
even if rewrite targets HTTPS URL.

But when original request is HTTPS, connection still goes to original
URL/hostname IP address
https://github.com/rchunping/squid-urlrewrite/issues/3

According to debug logs, the original request hostname is resolved to IP
early and kept in internal context after squid-urlrewrite is invoked.

 

Do you have recommendations how to implement such a rewrite? Any idea how to
improve/fix current squid behavior?

 

Thank you in advance for your help

Best regards,

Yves

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20251218/958ba867/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6737 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20251218/958ba867/attachment.bin>