Search squid archive

Re: Squid 3 SSL bump: Google drive application could not connect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Sure.

Squid 3 WCCP key config part:

# WCCPv2 parameters
wccp2_router 192.168.200.2
wccp2_forwarding_method l2
wccp2_return_method l2
wccp2_service standard 0
wccp2_rebuild_wait off
wccp2_service standard 0
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=240 ports=443

Cisco config key parts:

!
ip wccp web-cache redirect-list 120
ip wccp 70 redirect-list 121
!
!
! This interface look to Squid proxy (internal networks on another interface)
interface GigabitEthernet0/1
 ip address 192.168.200.2 255.255.255.0
 ip wccp web-cache redirect out
 ip wccp 70 redirect out
 ip nbar protocol-discovery
 ip virtual-reassembly in
 duplex auto
 speed auto
!
access-list 120 remark ACL for HTTP WCCP
access-list 120 remark Squid proxies bypass WCCP
access-list 120 deny   ip host 192.168.200.3 any
access-list 120 remark LAN clients proxy port 80
access-list 120 permit tcp 192.168.0.0 0.0.255.255 any eq www
access-list 120 remark all others bypass WCCP
access-list 120 deny   ip any any
!
access-list 121 remark ACL for HTTPS WCCP
access-list 121 remark Squid proxies bypass
access-list 121 deny   ip host 192.168.200.3 any
access-list 121 remark LAN clients proxy port 443
access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
access-list 121 remark all others bypass WCCP
access-list 121 deny   ip any any
!

That's all. :)

31.12.2014 2:10, Rafael Akchurin пишет:
>
> Glad that it worked.
>
> May be useful to dump here your squid.conf to better understand how to configure squid to transparently work with wccp traffic coming from your Cisco router?
>
> Raf
>

>
> *From:*Yuri Voinov [mailto:yvoinov@xxxxxxxxx]
> *Sent:* Tuesday, December 30, 2014 8:48 PM
> *To:* Rafael Akchurin; squid-users@xxxxxxxxxxxxxxxxxxxxx
> *Subject:* Re: Squid 3 SSL bump: Google drive application could not connect
>

>
>
> Already found this lonely right post ;) I have Google-Fu too :) And it longer than you :)
>
> Anyway,
>
> all of these issues solved.
>
> I have snoop (not Windoze wireshark - all great things makes in console, ya!) and take a look on single client traffic during bumping.
>
> As I haven't iptables (no penguins, please!), but I have Cisco 2911, I pass some Windows Update, Symantec Update (which is not work too) bypassing Squid.
>
> Cisco is greatest. All others are probably suxx :)
>
> The complete solution looks like:
>
> access-list 121 remark ACL for HTTPS WCCP
> access-list 121 remark Squid proxies bypass
> access-list 121 deny   ip host 192.168.200.3 any
> access-list 121 remark WU bypass
> access-list 121 deny tcp any 191.232.0.0 0.7.255.255
> access-list 121 deny tcp any 65.52.0.0 0.3.255.255
> access-list 121 remark Symantec bypass
> access-list 121 deny tcp any host 195.215.221.99
> access-list 121 deny tcp any host 195.215.221.104
> access-list 121 deny tcp any host 213.248.114.172
> access-list 121 deny tcp any host 213.248.114.173
> access-list 121 deny tcp any host 213.248.114.174
> access-list 121 deny tcp any host 213.248.114.175
> access-list 121 deny tcp any host 77.67.22.168
> access-list 121 deny tcp any host 77.67.22.171
> access-list 121 deny tcp any host 77.67.22.173
> access-list 121 deny tcp any host 213.248.114.171
> access-list 121 remark LAN clients proxy port 443
> access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
> access-list 121 remark all others bypass WCCP
> access-list 121 deny   ip any any
>
> So, all others issue solves similar.
>
> Want to do something good - do it yourself!
>
> That's the way. :)
>
> 30.12.2014 23:39, Rafael Akchurin пишет:
>
>
>       > Hello Yuri,
>
>
>
>
>
>
>
>       > Luckily the same topic was just discussed on our forum –
>
>       please see if this can help
>
> https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ
>
>
>
>
>
>
>
>       > It describes the iptables settings for successful SSL bump
>
>       exclusions for Dropbox clients / Google Drive / iTunes (bypassing
>
>       SSL Bump because of SSL Pinning).
>
>
>
>
>
>
>
>       > Best regards,
>
>
>
>       > Raf
>
>
>
>
>
>
>
>       > *From:*squid-users
>
>       [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] *On Behalf Of
>
>      *Rafael Akchurin
>
>       > *Sent:* Tuesday, December 30, 2014 4:23 PM
>
>       > *To:* Yuri Voinov; squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>       > *Subject:* Re: Squid 3 SSL bump: Google drive
>
>       application could not connect
>
>
>
>
>
>
>
>       > ​Only exclusion from SSL Bump as far as I know.
>
>
>
>
>
>
>
>       > raf
>
>
>
>       > -------------------------
>
>
>
>       > *From:*Yuri Voinov <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx>
>
>       <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx>>
>
>       > *Sent:* Tuesday, December 30, 2014 3:19 PM
>
>       > *To:* Rafael Akchurin; squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>       <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>       > *Subject:* Re: Squid 3 SSL bump: Google drive
>
>       application could not connect
>
>
>
>
>
>
>
>
>
>       > May be.
>
>
>
>       > Does workaround exists?
>
>
>
>       > 30.12.2014 20:09, Rafael Akchurin ?????:
>
>       > > SSL Pinning? (I know Dropbox does this)
>
>
>
>
>
>
>
>       > > my two cents only :)
>
>
>
>
>
>
>
>       > > Raf
>
>
>
>
>
>
>
>       > > ________________________________________
>
>
>
>       > > From: squid-users
>
>       <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
>
>
>
>       > <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
>
>       <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>on behalf
>
>       of Yuri Voinov <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx>
>
>
>
>       > <yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx>
>
>
>
>       > > Sent: Tuesday, December 30, 2014 2:12 PM
>
>
>
>       > > To: <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>
>
>       > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>       <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>
>
>       > > Subject: Squid 3 SSL bump: Google drive
>
>       application could not     connect
>
>
>
>
>
>
>
>       > > Hi gents,
>
>
>
>
>
>
>
>       > > I found strange issue.
>
>
>
>
>
>
>
>       > > Squid 3.4.10. Intercept. HTTPS bumping. All works fine.
>
>       All configs correct.
>
>
>
>
>
>
>
>       > > Whenever all web https sites works perfectly -
>
>       especially in Chrome,
>
>
>
>       > > most cloud clients works like charm (SpiderOak is!),
>
>       Google Drive client
>
>
>
>       > > application (PC) could not work.
>
>
>
>       > > Note: Web Google Docs works. Web Google drive works.
>
>
>
>
>
>
>
>       > > Note: Google support info - even I if pass dozen Google
>
>       URL's without
>
>
>
>       > > bump - cannot help. It doesn't work when server-first
>
>       bumping is on and
>
>
>
>       > > works othervise.
>
>
>
>
>
>
>
>       > > So, the Serious Question is: Why? :)
>
>
>
>
>
>
>
>       > > Any idea?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       > > _______________________________________________
>
>
>
>       > > squid-users mailing list
>
>
>
>       > > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>
>
>       > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>       <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>
>
>
>       > >
>
>       <http://lists.squid-cache.org/listinfo/squid-users> <http://lists.squid-cache.org/listinfo/squid-users>
>
>
>
>       > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUowlmAAoJENNXIZxhPexG1ygH/RWXJIeFp4G/B39Ba/4yQ5XS
R/JmIkMaafDabBe5sPYVdwH7u25cIS7nKvVssme5TVmzcFAZuancr3ZV/ue9OtsH
jYwWSz/uHz76T6hKHmYB9uq3ESHQrasZ9WC2vfhYd0XR0mHxsn+zjPz34cKqlN5P
daeTbZGcrw/WyzJxMPRqjBX4nHNnvwb0mpo1htm3KS//yVdZMrNYMwqRR9DcBilE
rX5bkEjegnqmc7DM73XHu1Lz5SSeKCXttkcz2UAkP6aqRzAazjNBlObHASO9wYgq
RCsH/GvbNjJWyw7ZrvqxOnwOiMyJhV6L9h3uVM02NxsLzhnNutVl4dymzZHZf3Y=
=Ls1G
-----END PGP SIGNATURE-----

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux