No worries. Sounds like this is the feature you should be waiting with baited breath for: http://wiki.squid-cache.org/Features/SslPeekAndSplice I’m not a developer so I have no idea how far along that is right now. On 30 Jun 2014, at 11:05 pm, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote: > On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote: >> Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are another popular one that use pinning. >> >> As far as your broken_sites ACL goes, you can’t use `dstdomain` because the only thing Squid can see of the destination before bumping an intercepted connection is the IP address. So for `ssl_bump none` you’ll need to be use `dst` ACLs instead. >> >> ProTip: Here are the Apple and Akamai public IP blocks (to use in a dst equivalent of your broken_sites), respectively: 17.0.0.0/8, 23.0.0.0/12. >> >> Good luck >> >> On 30 Jun 2014, at 10:38 pm, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote: >> >>> Topic pretty much says it...most sites work fine using my below set up, >>> but some (Apple's app store) do not. I'm wondering if cert pinning is >>> the issue? Since this set up is basically two separate sessions, I >>> packet captured both. The side the I have control over gives me a TLS >>> Record Layer Alert Close Notify. I am unable to decrypt the other side >>> as the device in question is an iDevice and I can't capture the master >>> secret. >>> >>> I've even tried to ACL certain sites to not bump, but they don't go >>> through. Below is my complete setup. This is running the below: >>> >>> Squid Cache: Version 3.4.6 >>> configure options: '--prefix=/opt' '--enable-icap-client' >>> '--enable-ssl' '--enable-linux-netfilter' >>> '--enable-follow-x-forwarded-for' '--with-large-files' >>> '--sysconfdir=/opt/etc/squid' >>> >>> >>> Any assistance with troubleshooting would be wonderful...thank you. >>> >>> James >>> >>> >>> >>> $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport >>> 80 -j REDIRECT --to-port 3128 >>> $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport >>> 443 -j REDIRECT --to-port 3129 >>> >>> >>> acl localnet src 192.168.1.0/24 >>> >>> acl SSL_ports port 443 >>> acl Safe_ports port 80 # http >>> acl Safe_ports port 21 # ftp >>> acl Safe_ports port 443 # https >>> acl Safe_ports port 70 # gopher >>> acl Safe_ports port 210 # wais >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl Safe_ports port 280 # http-mgmt >>> acl Safe_ports port 488 # gss-http >>> acl Safe_ports port 591 # filemaker >>> acl Safe_ports port 777 # multiling http >>> >>> acl CONNECT method CONNECT >>> acl broken_sites dstdomain textnow.me >>> acl broken_sites dstdomain akamaiedge.net >>> acl broken_sites dstdomain akamaihd.net >>> acl broken_sites dstdomain apple.com >>> acl allowed_sites url_regex "/opt/etc/squid/url.txt" >>> acl all_others dst all >>> acl SSL method CONNECT >>> >>> >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >>> >>> http_access allow manager localhost >>> http_access deny manager >>> >>> http_access allow allowed_sites >>> http_access deny all_others >>> http_access allow localnet >>> http_access allow localhost >>> >>> http_access deny all >>> icp_access deny all >>> >>> sslproxy_cert_error allow broken_sites >>> sslproxy_cert_error deny all >>> >>> sslproxy_options ALL >>> ssl_bump none broken_sites >>> ssl_bump server-first all >>> >>> http_port 192.168.1.253:3128 intercept >>> https_port 192.168.1.253:3129 intercept ssl-bump >>> generate-host-certificates=on cert=/opt/sslsplit/sslsplit.crt >>> key=/opt/sslsplit/sslsplitca.key options=ALL sslflags=NO_SESSION_REUSE >>> >>> always_direct allow all >>> >>> >>> hierarchy_stoplist cgi-bin ? >>> >>> access_log syslog:daemon.info common >>> >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern -i (cgi-bin|\?) 0 0% 0 >>> refresh_pattern . 0 20% 4320 >>> >>> icp_port 3130 >>> >>> coredump_dir /opt/var >>> >>> > > Ah good catch thank you. I've seen expensive proxy appliances just > tunnel the traffic through, but they get the host and domain name to all > control...which is really all I'm wanting to do is control what sites > are allowed. I'll give your suggestions a go...thank you. > > James >
