Search squid archive

3.5.4 need more help with peek and splice and external helper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have still been trying to get peek and splice to work. Specifically I want to allow the admins of our firewall distro to enter websites that they do not want to bump on the squid UI page. I have been fiddling with info that Amos and Nathan have provided me but with no success so far. Here is a snippet of squid.conf with most of the pertinent SSL configuration.

http_access allow localhostgreen
http_access allow CONNECT localhostgreen

# http_port and https_port
#----------------------------------------------------------------------------

http_port 192.168.100.1:800 intercept
https_port 192.168.100.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem

http_port 127.0.0.1:800 intercept

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_session_cache_size 4 MB

ssl_bump none localhostgreen

external_acl_type sni ttl=30 concurrency=60 children-max=3 children-startup=1 %ssl::>sni /var/smoothwall/mods/proxy/libexec/bumphelper

acl sni_exclusions external sni
acl tcp_level at_step SslBump1
acl client_hello_peeked at_step SslBump2

ssl_bump none localhostgreen

ssl_bump peek tcp_level all
ssl_bump splice client_hello_peeked sni_exclusions
ssl_bump bump all

sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5

These were provided by Nathan to try. He also provided an example helper script in python to try, but our distro doesn't grok python so I tried to get it translated to perl and this what I came up with.

#!/usr/bin/perl

# run loop until an empty read, which indicates the process should shut down.

while (<STDIN>)
{
  my ($concurrency_id, $sni) = split;

  if ($sni eq 'wellsfargo.com')
  {
     print "$concurreny_id OK\n";
  }
  else
  {
     print "$concurreny_id ERR\n";
  }
}

When I start Squid with this configuration, the helper script "bumphelper" gets loaded as a process along with squid and ssl_crtd. When I try to browse any SSL websites there is no connection and it times out. HTTP browsing is fine. When I remove those peek and splice related lines and add "ssl_bump server-first all" back to squid conf then bumping of SSL sites is successful.

I suspect my "bumphelper" script is not doing what I intend it to do.

Suggestions very welcome.

Stan

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux