Perfect thanks a lot!!! Raf :) From: Yuri Voinov [mailto:yvoinov@xxxxxxxxx]
> Just for me to completely clarify: > > > > - how exactly your Squid gets the traffic from your clients? (explicit proxy or cisco WCCP?) > > > > raf > > *From:*Yuri Voinov [mailto:yvoinov@xxxxxxxxx] > *Sent:* Tuesday, December 30, 2014 9:16 PM > *To:* Rafael Akchurin;
squid-users@xxxxxxxxxxxxxxxxxxxxx > *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect > > > > > To finalize a solution, > > see the our favorite: > >
http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html > > Why use iptables, ipfilter,Cisco, etc?! > > Only Squid, only hardcore! > > Revert cisco config back: > > R2911(config)#no access-list 121 > R2911(config)#access-list 121 remark ACL for HTTPS WCCP > R2911(config)#access-list 121 remark Squid proxies bypass > R2911(config)#access-list 121 deny ip host 192.168.200.3 any > R2911(config)#access-list 121 deny ip host 192.168.100.251 any > R2911(config)#access-list 121 remark Videoserver > R2911(config)#access-list 121 deny ip host 192.168.200.5 any > R2911(config)#access-list 121 remark LAN clients proxy port 443 > R2911(config)#access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443 > R2911(config)#access-list 121 remark all others bypass WCCP > R2911(config)#access-list 121 deny ip any any > R2911(config)#^Z > R2911#wr > Building configuration... > [OK] > > Write acl file with IP/net with SSL Pinning: > > root @ ktulhu /usr/local/squid/etc # cat dst.nobump > # BCC bypass > 91.198.63.0/24 > # Salyk bypass > 212.154.165.148/32 > # WU bypass > 191.232.0.0/13 > 65.52.0.0/14 > # Symantec bypass > 195.215.221.99/32 > 195.215.221.104/32 > 213.248.114.172/32 > 213.248.114.173/32 > 213.248.114.174/32 > 213.248.114.175/32 > 77.67.22.168/32 > 77.67.22.171/32 > 77.67.22.173/32 > 213.248.114.171/32 > > Add needful nets/apps to acl by your taste. > > Add to squid config: > > # SSL bump acl > acl net_bump src "/usr/local/squid/etc/net.bump" > # HTTP-use 443 port apps > acl url_nobump dstdom_regex \.icq\.* > # SSL Pinning servers. Only ip-based dst acl! > acl dst_nobump dst "/usr/local/squid/etc/dst.nobump" > > # SSL bump rules > sslproxy_cert_error allow all > ssl_bump none localhost > ssl_bump none url_nobump > ssl_bump none dst_nobump > ssl_bump server-first net_bump > > Yahooo! The same result with Squid only! > > 30.12.2014 23:39, Rafael Akchurin пишет: > > SSL Pinning > > |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users