Search squid archive

RE: https interception some whitelisted sites not working properly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Fellows, one more question: with the following setup, do I'm achieving a truly transparent proxy??

http_port 3129
http_port 3128 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=256MB cert=/etc/squid3/certs/ssl/public.pem key=/etc/squid3/certs/ssl/private.pem

acl broken_sites_ip dst "/etc/squid3/acl/ssl_whitelist_ip.acl"
acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl"
always_direct allow broken_sites
ssl_bump none localhost
ssl_bump none broken_sites_ip
ssl_bump none broken_sites 
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
ssl_bump server-first all

I also have enabled ip_forward and got these iptables rules:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -I INPUT -p tcp -m tcp --dport 3129 -j ACCEPT

Thanks

----------------------------------------
> From: iknano@xxxxxxxxxxx
> To: squid-users@xxxxxxxxxxxxxxx
> Date: Fri, 2 May 2014 11:47:43 -0400
> Subject: RE:  https interception some whitelisted sites not working properly
>
> Thank you Eliezer for your quick answer. I've been struggling for many days to get this to work...
>
> Tested your recommendation and it worked like a charm!
>
> ...
> ...
> acl broken_sites_ip dst a.b.c.d/xx
> acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl"
> always_direct allow broken_sites
> ssl_bump none localhost
> ssl_bump none broken_sites_ip
> ssl_bump none broken_sites
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> ssl_bump server-first all
> ...
> ...
>
> One last question: is it necessary the "always_direct" instruction?
> Thanks!
>
>
>
>> Date: Fri, 2 May 2014 00:55:03 +0300
>> From: eliezer@xxxxxxxxxxxx
>> To: squid-users@xxxxxxxxxxxxxxx
>> Subject: Re:  https interception some whitelisted sites not working properly
>>
>> Hey there,
>>
>> This was asked in the past month twice if i'm not wrong.
>> In the stage when you use ssl_bump.. squid dosn't have any sense of
>> dstdomain.
>> Means that when squid bumps and knows the site name the connection is
>> already bumped and knows about it but when you want to apply a whitelist
>> squid only works on the IP level.
>> So instead use iptables and\or squid "dst" as a whitelist level.
>>
>> Eliezer
>>
>> On 05/02/2014 12:21 AM, Ikna Nou wrote:
>>> acl broken_sites dstdomain "/etc/squid3/acl/ssl_whitelist.acl"
>>
>>
>
 		 	   		  




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux