Skip to content

feat: add https payload interception via ssl bumping#88

Closed
Copilot wants to merge 4 commits intomainfrom
copilot/investigate-squid-proxy-https
Closed

feat: add https payload interception via ssl bumping#88
Copilot wants to merge 4 commits intomainfrom
copilot/investigate-squid-proxy-https

Conversation

Copy link
Contributor

Copilot AI commented Dec 3, 2025
edited
Loading

Investigated whether Squid proxy can intercept HTTPS payloads for debugging. Answer: yes, via SSL bumping.

Changes

Core Implementation

  • CLI: Added --ssl-bump flag with security warnings
  • Configuration: Extended SquidConfig to generate ssl_bump directives for HTTPS interception
  • Certificate: Auto-generate ephemeral CA certificate via generate-cert.sh on container startup
  • Container: Updated Squid Dockerfile to install OpenSSL

Visibility Enhancement

Without SSL bumping (default):

172.30.0.20 api.github.com:443 CONNECT 200 TCP_TUNNEL api.github.com:443

With SSL bumping:

172.30.0.20 api.github.com GET 200 TCP_MISS https://api.github.com/zen "curl/7.81.0"

Full URL path, HTTP method, and headers now visible in logs.

Configuration Logic

Generates different Squid configs based on mode:

  • Default: http_port 3128 with CONNECT tunneling
  • SSL bump: https_port 3128 intercept ssl-bump with peek/bump/terminate directives

Intelligently references ACLs based on domain type (plain/patterns/both).

Security

  • Opt-in only (disabled by default)
  • Ephemeral certificates (auto-generated, not persisted)
  • Prominent warnings on execution
  • Comprehensive security documentation

Testing

  • 11 new test cases covering SSL bumping configuration
  • All scenarios: plain domains, wildcard patterns, combinations
  • 359 total tests passing

Usage

sudo awf --allow-domains github.com --ssl-bump -- curl -k https://api.github.com/zen

Note: -k required as ephemeral CA not trusted by default. Feature intended for debugging only.

Original prompt

Investigate if the Squid proxy container can intercept the HTTPS payload as a logging / debugging mechanism

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits December 3, 2025 20:43
@Mossaka
feat(ssl-bump): add https payload interception capability
a245642 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka
docs: add manual testing guide for ssl bumping
743b65c 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
@Mossaka
docs: add implementation summary for ssl bumping feature
b86f2dd 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Investigate HTTPS payload interception with Squid proxy feat: add https payload interception via ssl bumping Dec 3, 2025
Copilot AI requested a review from Mossaka December 3, 2025 20:50
@github-actions
Copy link

github-actions bot commented Dec 18, 2025

Test Coverage Report

Metric Coverage Covered/Total
Lines 67.04% 706/1053
Statements 67.19% 727/1082
Functions 70.24% 85/121
Branches 63.02% 242/384
Coverage Thresholds

The project has the following coverage thresholds configured:

  • Lines: 38%
  • Statements: 38%
  • Functions: 35%
  • Branches: 30%

Coverage report generated by `npm run test:coverage`

@Mossaka Mossaka marked this pull request as ready for review December 19, 2025 07:44
@Mossaka Mossaka added the smoke label Dec 19, 2025
@Mossaka
Copy link
Collaborator

Mossaka commented Dec 19, 2025

in favor of #131

@Mossaka Mossaka closed this Dec 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

smoke

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mossaka