On 05/01/15 15:44, Eliezer Croitoru wrote: > A squid helper is nice but... a NFQUEUE helper that can verify if to > FORWARD or BUMP the connection would be a better suited solution to my > opinion. Not sure if you're ignoring the ssl-peek work, but squid still needs to be able to "peek" in order for squid to know the actual HTTPS server name the client is connecting to before it's able to call any external helper/etc. As that involves understanding SSL (which is a huge chunk of code) - that means it's not appropriate for a kernel solution - it has to be done at Layer-7 (ie squid - but not some app called by squid as that's too late to see the data it needs) eg after hearing how James Harper wrote his own external "https-tester" script, I've written my own and have been merrily testing it under squid-3.4.10 (ie not 3.5 with "peek"). In proxy-mode it works great, the "https-tester" script is passed the DNS name and port, it manually uses curl to test that to ensure it's a real HTTPS server and returns OK, else it returns ERR - making squid fall-back on passthrough/splice mode. That means it can detect non-SSL apps, as well as client-cert protected HTTPS webservers (which you also have to drop back to splice with - you can never successfully MiTM a client-cert based SSL session). However, the moment you try to do transparent https proxy, things break. In that case, squid-3.4 only sees the destination IP, and "https_tester" can only try to "curl -k https://ip.add.ress:port/"; - which only works for *some* webservers. A lot have WAFs on them and righteously ditch the incoming connection when they recognise the client (my script) doesn't know what their hostname is. eg any HTTPS site using cloudfront.net is in that category. Of course it still works - but in passthrough mode - which isn't the outcome we're after. I'm going to have to look at squid-3.5 ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
