Hi Tom,
How did you succeed in filtering https traffic? using http_access.. or
the way James did it, using domainname only ?
Tom Mowbray wrote on 06/25/2015 02:06 PM:
James,
Thank for for your help. Now that I have a better understanding of how
the https traffic is handled, I've been able to get things working as
intended.
---------------------------------
Tom Mowbray
/tmowbray@xxxxxxxxxx/ <mailto:tmowbray@xxxxxxxxxx>
/703-829-6694/
On Wed, Jun 24, 2015 at 2:05 PM, James Lay <jlay@xxxxxxxxxxxxxxxxxxx
<mailto:jlay@xxxxxxxxxxxxxxxxxxx>> wrote:
On 2015-06-24 11:46 AM, Tom Mowbray wrote:
James,
Yes, as a matter of fact I have read through those exact posts and
modeled my config very similarly. What I have found is that,
however,
when the line "http_access allow SSL_ports" is placed above the
ssl_bump stuff and other acl's (as you have it), it seems to simply
allow ALL https without doing any filtering whatsoever.
Thanks for the response.
---------------------------------Tom Mowbray
_tmowbray@dalabs.com_
_703-829-6694 <tel:703-829-6694>_
On Wed, Jun 24, 2015 at 1:31 PM, James Lay
<jlay@xxxxxxxxxxxxxxxxxxx <mailto:jlay@xxxxxxxxxxxxxxxxxxx>>
wrote:
On 2015-06-24 09:41 AM, Tom Mowbray wrote:
Squid 3.5.5
I seem to have some confusion about how acl lists are
processed
in
squid.conf regarding the handling of SSL (HTTPS) traffic,
attempting
to use ssl_bump directives with transparent proxy.
Based on available documentation, I believe my squid.conf is
correct,
however it never seems to actually behave as expected.
I define the SSL port, as usual:
acl SSL_ports port 443
But here's where my confusion lies... Many state to
place the
following line above the ssl_bump configuration lines:
http_access allow SSL_ports
However when I do this, it appears to simply stop
processing any
other
rules and allows ALL https traffic through the proxy
(which is
actually how I'd expect a standard ACL list to operate,
but then
how
do I actually filter the traffic though our
content-based ACL
lists?).
If I put the above line below the ssl_bump configuration
options
in
my squid.conf, then it appears to BUMP all, even though
I've told
the
config to SPLICE all https traffic, which doesn't work
for our
deployment.
So, does squid actually continue to process the https
traffic
using
the ssl_bump rules if the "http_access allow SSL_ports"
line is
placed
above it in the configuration?
I should note that we've been able to get filtering to work
correctly
when using our configuration in NON-transparent mode,
however our
goal
is get this functionality working as a transparent
proxy. We're
unable to load our self-signed cert onto client machines
that
will be
accessing the proxy, so using the "bump" or
man-in-the-middle
style
https filtering isn't a viable option for us.
Any help or advice is appreciated!
Thanks,
Tom
Tom,
You kinda have to change the way you think about filtering
when it
comes to Squid 3.5.5 and SSL(TLS). Normal http traffic is
easy....here's where we're trying to go and here's a list of
place
we're alloed to go...simple.
Not so with SSL(TLS). Squid can't filter, since Squid may or may
not know where we're going...and that's the issue..it's
where those
ssl_bump atStep ACL's come in. Some sites when you connect
to them
are easy-ish..when you connect your device sends a "Server Name
Information" (SNI) that says where you're going. Other sites
don't
have any information until you complete the SSL handshake
(how can
you filter a site name, until squid KNOWS the site or at least
domain name?).
If you're still wanting to go through with transparent
(intercept)
proxy with SSL, search through the list for my SSL Deep dive
posts...that config is working for me so far (granted, not in an
enterprise environment). However, as Amos said,....if you choose
not to install the cert on the client machines, you are
either a)
going to be out of luck on LOT'S of websites because they
will fail
the SSL handshake, or b) teaching your users to ignore the
security
warnings of their browser's....neither of which is a good thing.
Hope that helps.
James
Tom,
You are right...that absolutely will allow all SSL initially...the
filtering is down lower in the config here:
With single list of regex sites/domains like \.google\.com...peek,
splice, no bump...I'm currently using this config section.
############################################################################
ssl_bump peek step1 all
ssl_bump peek step2 all
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate all
With broken acl list of networks list 208.85.40.0/21
<http://208.85.40.0/21>
###########################################################################
ssl_bump peek step1 broken
ssl_bump peek step2 broken
ssl_bump splice broken
ssl_bump peek step1 all
ssl_bump peek step2 all
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump bump allowed_https_sites
ssl_bump terminate all
In both configs above, the SNI and server names are checked, bounced
off the http_url.txt list, and if the site/domain is NOT in the list
the ssl session is terminated. The big drag is, you won't be able
to see that in the squid logs. I have a bug open ( I don't remember
the number :( ) to show this in the logs...so far in my setup I only
see the first peek, nothing after that. You can test the above
setups with:
openssl s_client -connect x.x.x.x:443
The above will test with no SNI...these look like the below in the logs:
Jun 24 11:35:08 gateway (squid-1): 192.168.1.101 - -
[24/Jun/2015:11:35:08 -0600] "CONNECT 31.13.76.101:443
<http://31.13.76.101:443> HTTP/1.1" - - 200 0 TAG_NONE:ORIGINAL_DST peek
wget -d --ca-certificate=<your.cert.file)
The above WILL send an SNI...which you should see in your logs as:
Jun 24 12:01:44 gateway (squid-1): 192.168.1.101 - -
[24/Jun/2015:12:01:44 -0600] "CONNECT 172.230.156.79:443
<http://172.230.156.79:443> HTTP/1.1" device-api.urbanairship.com
<http://device-api.urbanairship.com> - 200 0 TAG_NONE:ORIGINAL_DST peek
Hope that helps.
James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
