Re: Squid 3 SSL bump: Google drive application could not connect

Yuri Voinov <yvoinov@xxxxxxxxx> · Wed, 31 Dec 2014 02:15:47 +0600



    -----BEGIN PGP SIGNED MESSAGE----- 

    Hash: SHA1 

     
    To finalize a solution,

    
    see the our favorite:

    
    http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html

    
    Why use iptables, ipfilter,Cisco, etc?!

    
    Only Squid, only hardcore!

    
    Revert cisco config back:

    
    R2911(config)#no access-list 121

    R2911(config)#access-list 121 remark ACL for HTTPS WCCP

    R2911(config)#access-list 121 remark Squid proxies bypass

    R2911(config)#access-list 121 deny   ip host 192.168.200.3 any

    R2911(config)#access-list 121 deny   ip host 192.168.100.251 any

    R2911(config)#access-list 121 remark Videoserver

    R2911(config)#access-list 121 deny   ip host 192.168.200.5 any

    R2911(config)#access-list 121 remark LAN clients proxy port 443

    R2911(config)#access-list 121 permit tcp 192.168.0.0 0.0.255.255 any
    eq 443

    R2911(config)#access-list 121 remark all others bypass WCCP

    R2911(config)#access-list 121 deny   ip any any

    R2911(config)#^Z

    R2911#wr

    Building configuration...

    [OK]

    
    Write acl file with IP/net with SSL Pinning:

    
    root @ ktulhu /usr/local/squid/etc # cat dst.nobump

    # BCC bypass

    91.198.63.0/24

    # Salyk bypass

    212.154.165.148/32

    # WU bypass

    191.232.0.0/13

    65.52.0.0/14

    # Symantec bypass

    195.215.221.99/32

    195.215.221.104/32

    213.248.114.172/32

    213.248.114.173/32

    213.248.114.174/32

    213.248.114.175/32

    77.67.22.168/32

    77.67.22.171/32

    77.67.22.173/32

    213.248.114.171/32

    
    Add needful nets/apps to acl by your taste.

    
    Add to squid config:

    
    # SSL bump acl

    acl net_bump src "/usr/local/squid/etc/net.bump"

    # HTTP-use 443 port apps

    acl url_nobump dstdom_regex \.icq\.*

    # SSL Pinning servers. Only ip-based dst acl!

    acl dst_nobump dst "/usr/local/squid/etc/dst.nobump"

    
    # SSL bump rules

    sslproxy_cert_error allow all

    ssl_bump none localhost

    ssl_bump none url_nobump

    ssl_bump none dst_nobump

    ssl_bump server-first net_bump

    
    Yahooo! The same result with Squid only!

    
    30.12.2014 23:39, Rafael Akchurin пишет:

    > SSL Pinning

    
    -----BEGIN PGP SIGNATURE-----


    Version: GnuPG v2


    iQEcBAEBAgAGBQJUowfzAAoJENNXIZxhPexGQjgH/2a6Ec4VMKgwKdgR+HPJYRj3


    eOmmO8E3LAwkQpDnUNfBl057tKSdPTq5Y1Fo0SJrs0yczvc7w2nt7G01adCajxgT


    Zj91d77aNxXoE730I6rnL8vAg4gvWVYdJufJstTQuToJW31SYMlEkzZfY38suRTs


    GQRAaQ+hYY4trqE7f5BlQHdChMwIb6pxQoE2PJ+8SzkuBr4E68fJlqECz8zXxs8Z


    Mb+R3OCA18YKpr+6nU3dM58B3FDvWTj/NuIib2PgvIGR2Xsrrrr2GPms2x6QKg5v


    ivlmYD5cYWz3F+8htv7mFovSxp32cKb6+Vfxk45yGEA2+z9VziGE1G7KF4WgKGM=


    =1ux+


    -----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users