On Tue, 2014-11-04 at 12:32 +0200, Christos Tsantilas wrote: > On 11/03/2014 03:00 PM, James Lay wrote: > > > > Thanks Christos, > > > > So here's where I'm at...my full test config below: > > ...... > >...... > > > > logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:% > > Sh %ssl::>cert_subject > > The %ssl::>cert_subject will print the subject of the client > certificate, if there is any. In most cases the client does not sent any > certificate. > Logging the server certificate subject is not yet implemented. > > > > > The above works, but allows all sites regardless of what's in url.txt. > > If you want to use a list of urls to restrict sites which should bumped > you should use an external_acl helper. > You can send to the external_acl helpers the client SNI informations (on > at_step SslBump2) and/OR the server certificate subject (on at_step > SslBump3). > > > Additionally, there's no logging of any kind. The allow part makes > > sense as this is the last ACL, the no logging part is confusing. If I > > add: > > > > acl broken_sites dst 69.25.139.128/25 > > acl ..... > > ..... > > and change to > > ssl_bump peek step1 broken_sites > > ssl_bump peek step2 broken_sites > > ssl_bump splice step3 broken_sites > > This is will splice any connection to broken_sites and will not bump any > other request. > > > > > that works, but again...I get no logging, which is worse then "ssl_bump > > splice broken_sites", and defeats the purpose of trying to avoid having > > to create the broken_sites ACL in the first place. Lastly, if I try and > > change splice to peek or bump it's broken with odd log entries such as: > > Will help if you describe what are you trying to do. > The acl broken_sites includes only IP addresses. Looks that the > peek-and-splice is not needed in your application. > You can just use "ssl_bump none broken_sites" > > > > > Nov 3 05:45:23 gateway (squid-1): 192.168.1.110 - - > > [03/Nov/2014:05:45:23 -0700] "GET https://www.google.com/ HTTP/1.1" 503 > > 3854 TAG_NONE:HIER_NONE - > > Nov 3 05:45:31 gateway (squid-1): 192.168.1.110 - - > > [03/Nov/2014:05:45:31 -0700] "CONNECT 206.190.36.45:443 HTTP/1.1" 403 > > 3402 TCP_DENIED:HIER_NONE - > > Nov 3 05:45:31 gateway (squid-1): 192.168.1.110 - - > > [03/Nov/2014:05:45:31 -0700] "#026#003#001 %BB/%CESsJ%B3%C2%BC%CC%BD%90 > > HTTP/1.1" 400 3577 TAG_NONE:HIER_NONE - > > > > Is there something I am missing? I've been really reading through the > > squid site, but I can't find any examples of peek splice. Thank you. > > > > James Thanks a bunch Christos, That list of IP's is things like apple.com, textnow.me, and windows updates...IP's that simply don't bump well. My setup is a linux box that's a router...one NIC internal IP, the other external IP. Via iptables redirect, I'm transparently intercepting the web traffic of a few devices, only allowing them access to the list of sites in url.txt. At issue with using the broken_sites list, is that I have to just specify large chucks of netblocks, which I lose control and visibility of. What I'm really hoping for is for a way for squid to be able to, in my case at least, look at either the server_name extension in the Client Hello, or, if that's not present, look at the dNSName of certificate being sent, check the access against url.txt, and either allow or deny. Ssl_bump does work well for most sites...and I understand we are performing a man in the middle attack so it's not supposed to be easy. Again my hope isn't really to perform a mitm...more of an access control type thing. Thanks again Christos...I hope I explained this well enough. James _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
