See below. Nothing else too interesting. Those four lines were the key.
http_port 3128
http_port 3180 intercept
https_port 3443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 16MB
sslcrtd_children 10
logformat dig %{%Y-%m-%d %H:%M:%S}tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A "%{User-Agent}>h"
logfile_rotate 10
access_log /var/log/squid/access.log dig
pinger_enable off
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
ssl_bump server-first step2 all
acl SSL_ports port 443
acl Safe_ports port 80 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow all
http_access deny all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
http_port 3128
http_port 3180 intercept
https_port 3443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/usr/local/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 16MB
sslcrtd_children 10
logformat dig %{%Y-%m-%d %H:%M:%S}tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A "%{User-Agent}>h"
logfile_rotate 10
access_log /var/log/squid/access.log dig
pinger_enable off
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
ssl_bump server-first step2 all
acl SSL_ports port 443
acl Safe_ports port 80 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow all
http_access deny all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
-----------
Daniel I Greenwald
Daniel I Greenwald
On Mon, Jan 26, 2015 at 3:28 AM, Rafael Akchurin <rafael.akchurin@xxxxxxxxxxxx> wrote:
Hello Daniel, Yuri
May be you could dump your whole squid.conf here (please remove any sensitive details).
I still cannot understand once Squid has the target server hostname from SNI - where is the acl/rule in squid.conf that can be used with this info present?
Best regards,
Rafael
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> on behalf of Daniel Greenwald <dig@xxxxxxxxxxx>
Sent: Monday, January 26, 2015 5:39 AM
To: Yuri Voinov
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Why 3.5.0.4 generates mimicked certs with server IP only when bumping?Hope that helps Yuri or any one else with this issue.Thank you Amos,Based on your explanation I was able to make bumping work for transparent with no browser errors in 3.5.1 by using the following. If I understand correctly, this is actually whats required to mimic the behavior of pre 3.5 (sslbump server-first all) :
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump peek step1 all
ssl_bump server-first step2 all
PS So far this is working great for eg gmail.com which in previous version would throw browser errors!
-----------
Daniel I Greenwald
On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
How can that be?
All HSTS sites cry with 3.5 bump option - they don't like host IP as CN,
other sites behaviour depending they (and browsers) settings.
Is it possible to keep server-first behaviour in 3.5.x ?
WBR, Yuri
09.01.2015 16:57, Amos Jeffries пишет:
> On 9/01/2015 11:45 p.m., Yuri Voinov wrote:
>
> > I have working production 3.4.10 with working ssl bumping.
>
> > Config was the same as working 3.4.10. I've just want to take a
> > look on new release.
>
> > in squid.documented said, than backward compatibility server-first
> > and none options for ssl_bump are kept.
>
> > But:
>
> > Neither works with old syntax, nor new.
>
> > Looks like target https hosts not resolved and bump got only IP.
>
> The config values are still accepted, but there is an extra bumping
> stage now before the SNI is available.
>
> You are wanting to peek at stage 1 (to get the client SNI details) and
> server-first/splice at stage 2 (using the domain). Otherwise All Squid
> works with when intercepting are the TCP IPs.
>
> Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUsDE9AAoJENNXIZxhPexGl+MH/2wEV5rEDSb6eQ5KRbHI8ZJ4
WV0fdTg7yFR+bfWCUYzjVovQhrx0gaIFLNWvuwDbc62zJJnvADQuAzu7chouafkP
wpGuBjjp3jYZWa1TlZN4XoDeK2THswXau/5kY9P7IKKAJu9VjhjII803ywn5C8DW
48NQWU0Uhs86Tr6XAuaRzUYZK6lht0VcJFKiftmKmOE7Rl7+Yy/Kak1zXxLh8mzX
a8N0DSsSlBqIm7s8yngwWQuf8rQ0tlwrKWNSpCL3xD6Wk0MFwhRqe6Vbncj4sbff
p0OifMf0YD5sbytsUq4OO5HOdO7WPu+foB2AMKSiou5cDMqz5Vcnw0mD35t25Fg=
=OEZu
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
