> acl s1_tls_connect at_step SslBump1
> acl s2_tls_client_hello at_step SslBump2
> acl s3_tls_server_hello at_step SslBump3
>
> acl tls_server_name_is_ip ssl::server_name_regex \
> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
You have a letter 'n' on the end there is that intentional?
It would seem so. I copied that from someone else's "peek-splice" directives that they said worked well for them. The actual regex in the perl script that writes squid.conf is "print FILE "acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$\n\n";."> acl s2_tls_client_hello at_step SslBump2
> acl s3_tls_server_hello at_step SslBump3
>
> acl tls_server_name_is_ip ssl::server_name_regex \
> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
You have a letter 'n' on the end there is that intentional?
> acl google ssl::server_name .google.com
> ssl_bump peek s1_tls_connect all
>
> acl nobumpSites ssl::server_name .wellsfargo.com
>
> ssl_bump splice s2_tls_client_hello nobumpSites
> ssl_bump splice s2_tls_client_hello google
>
> ssl_bump stare s2_tls_client_hello all
>
> ssl_bump bump s3_tls_server_hello all
>
> cache_peer forcesafesearch.google.com parent 443 0 \
> ssl name=GS originserver \
> no-query no-netdb-exchange no-digest
>
> acl search dstdomain .google.com
> cache_peer_access GS allow search
> cache_peer_access GS deny all
I think the fake-CONNECT Squid creates still has only raw-IP:port
details. And with splicing you dont have the decrypt to setup dstdomain
URL details.
For dstdomain you need to match what shows up in access.log as the URI
of these requests.
> ssl_bump peek s1_tls_connect all
>
> acl nobumpSites ssl::server_name .wellsfargo.com
>
> ssl_bump splice s2_tls_client_hello nobumpSites
> ssl_bump splice s2_tls_client_hello google
>
> ssl_bump stare s2_tls_client_hello all
>
> ssl_bump bump s3_tls_server_hello all
>
> cache_peer forcesafesearch.google.com parent 443 0 \
> ssl name=GS originserver \
> no-query no-netdb-exchange no-digest
>
> acl search dstdomain .google.com
> cache_peer_access GS allow search
> cache_peer_access GS deny all
I think the fake-CONNECT Squid creates still has only raw-IP:port
details. And with splicing you dont have the decrypt to setup dstdomain
URL details.
For dstdomain you need to match what shows up in access.log as the URI
of these requests.
Does the "google" ACL work in cache_peer_access to use the SNI?
1441396051.210 62 10.3.3.100 TCP_MISS/503 3639 GET http://www.google.com/ - FIRSTUP_PARENT/216.239.38.120 text/html
1441396051.330 61 10.3.3.100 TCP_MISS/503 3640 GET http://www.google.com/favicon.ico - FIRSTUP_PARENT/216.239.38.120 text/html
1441396051.390 58 10.3.3.100 TCP_MISS/503 3672 GET http://www.google.com/favicon.ico - FIRSTUP_PARENT/216.239.38.120 text/html
1441396097.795 81 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.191:443 - ORIGINAL_DST/74.125.227.191 -
1441396097.830 87 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.172:443 - ORIGINAL_DST/74.125.227.172 -
1441396098.115 93 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.175:443 - ORIGINAL_DST/74.125.227.175 -
1441396098.877 79 10.3.3.100 TCP_MISS/200 840 POST http://clients1.google.com/ocsp - ORIGINAL_DST/74.125.227.168 application/ocsp-response
1441396098.878 622 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.160:443 - HIER_NONE/- -
1441396098.878 621 10.3.3.100 TCP_TUNNEL/200 5123 CONNECT 74.125.227.160:443 - ORIGINAL_DST/74.125.227.160 -
1441396099.078 92 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.217:443 - ORIGINAL_DST/74.125.227.217 -
1441396099.189 106 10.3.3.100 TCP_MISS/200 809 GET https://googleads.g.doubleclick.net/pagead/drt/si?ogt=1&pli=1&auth=DQAAAMQAAAA4q0535ee2zf0UOZwVQ6_S4mSWjf5Kb4fXl9x3McqtJiWrkQIQToYoQiKlpOleH4gYm8RDSWUaDvvHLQqnRZUq0hgjBst5H7svmtOGMUQJWwIv_orC8WVMfxr91CPgT5DFQ-5IULxyQsXmTMj9gOrFQ6S3PA86VzwCr1buDy8gaOeX_wF-hzw52PmkI5fEDNXwc5rhvhFkZ0epUswSyOMIWKqbgKDwcM3MpxD8WsDKiPdKyTD7qlNjZfxKqKO2EBJD2pbu24zhvuCHX7baeaPt - ORIGINAL_DST/74.125.227.217 image/gif
1441396112.635 99 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.175:443 - ORIGINAL_DST/74.125.227.175 -
1441396114.575 85 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.191:443 - ORIGINAL_DST/74.125.227.191 -
1441396123.684 92 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.191:443 - ORIGINAL_DST/74.125.227.191 -
1441396124.205 87 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.175:443 - ORIGINAL_DST/74.125.227.175 -
1441396127.192 84 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.205:443 - ORIGINAL_DST/74.125.227.205 -
The flag DONT_VERIFY_PEER tells Squid not to even bother checking any
security on the outgoing server connection when going DIRECT (not to the
cache_peer). Making the sslproxy_cert_error rules useless.
You've mentioned this before. The problem is with my squid.conf if it doesn't have DONT_VERIFY_PEER ssl-bump does not work at all. Is there a better way to setup ssl-bump than what I have that doesn't use DONT_VERIFY_PEER?security on the outgoing server connection when going DIRECT (not to the
cache_peer). Making the sslproxy_cert_error rules useless.
visible_hostname smoothwallu3
# Uncomment the following to send debug info to /var/log/squid/cache.log
#debug_options ALL,1 33,2 28,9
# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.3.3.1
acl localnetgreen src 10.3.3.0/24
acl SSL_ports port 445 443 441 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # smoothwall http
acl Safe_ports port 21 # ftp
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
# ----------------------------------------------------------------
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnetgreen
http_access allow CONNECT localnetgreen
http_access allow localhostgreen
http_access allow CONNECT localhostgreen
# http_port and https_port
#----------------------------------------------------------------------------
# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127
http_port 10.3.3.1:800 intercept
https_port 10.3.3.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
http_port 127.0.0.1:800 intercept
sslproxy_session_cache_size 4 MB
ssl_bump none localhostgreen
acl s1_tls_connect at_step SslBump1
acl s2_tls_client_hello at_step SslBump2
acl s3_tls_server_hello at_step SslBump3
acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
acl google ssl::server_name .google.com
ssl_bump peek s1_tls_connect all
ssl_bump splice s2_tls_client_hello google
ssl_bump stare s2_tls_client_hello all
ssl_bump bump s3_tls_server_hello all
cache_peer forcesafesearch.google.com parent 443 0 ssl name=GS originserver no-query no-netdb-exchange no-digest
acl search dstdomain .google.com/imghp
cache_peer_access GS allow search
cache_peer_access GS deny all
sslproxy_cert_error allow tls_server_name_is_ip
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5
http_access deny all
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# CACHE OPTIONS
# ----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid
cache_swap_high 100
cache_swap_low 80
cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB
cache_dir diskd /var/spool/squid/cache 1024 16 256
maximum_object_size 33 MB
minimum_object_size 0 KB
request_body_max_size 0 KB
# OTHER OPTIONS
# ----------------------------------------------------------------------------
#via off
forwarded_for off
pid_filename /var/run/squid.pid
shutdown_lifetime 10 seconds
#icp_port 3130
half_closed_clients off
umask 022
logfile_rotate 0
strip_query_terms off
# Uncomment the following to send debug info to /var/log/squid/cache.log
#debug_options ALL,1 33,2 28,9
# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.3.3.1
acl localnetgreen src 10.3.3.0/24
acl SSL_ports port 445 443 441 563
acl Safe_ports port 80 # http
acl Safe_ports port 81 # smoothwall http
acl Safe_ports port 21 # ftp
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
# ----------------------------------------------------------------
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnetgreen
http_access allow CONNECT localnetgreen
http_access allow localhostgreen
http_access allow CONNECT localhostgreen
# http_port and https_port
#----------------------------------------------------------------------------
# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127
http_port 10.3.3.1:800 intercept
https_port 10.3.3.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
http_port 127.0.0.1:800 intercept
sslproxy_session_cache_size 4 MB
ssl_bump none localhostgreen
acl s1_tls_connect at_step SslBump1
acl s2_tls_client_hello at_step SslBump2
acl s3_tls_server_hello at_step SslBump3
acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
acl google ssl::server_name .google.com
ssl_bump peek s1_tls_connect all
ssl_bump splice s2_tls_client_hello google
ssl_bump stare s2_tls_client_hello all
ssl_bump bump s3_tls_server_hello all
cache_peer forcesafesearch.google.com parent 443 0 ssl name=GS originserver no-query no-netdb-exchange no-digest
acl search dstdomain .google.com/imghp
cache_peer_access GS allow search
cache_peer_access GS deny all
sslproxy_cert_error allow tls_server_name_is_ip
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5
http_access deny all
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
# CACHE OPTIONS
# ----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid
cache_swap_high 100
cache_swap_low 80
cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB
cache_dir diskd /var/spool/squid/cache 1024 16 256
maximum_object_size 33 MB
minimum_object_size 0 KB
request_body_max_size 0 KB
# OTHER OPTIONS
# ----------------------------------------------------------------------------
#via off
forwarded_for off
pid_filename /var/run/squid.pid
shutdown_lifetime 10 seconds
#icp_port 3130
half_closed_clients off
umask 022
logfile_rotate 0
strip_query_terms off
On Fri, Sep 4, 2015 at 2:09 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 5/09/2015 5:48 a.m., Stanford Prescott wrote:
> I have tried to enable safe searching with Squid 3.5.7 using ssl-bump
> splice but when I enable it, browsing to https://google.com generates a
> Squid error page saying there is no valid certificate. Browsing to all
> other https sites loads the pages correctly and all other SSL-bump sites
> get bumped and displayed correctly.
>
> Has anyone had any luck getting this to work? Here is the relevant
> squid.conf entries
>
Please use 3.5.8. The ssl_bump behaviour got some more important fixes
recently.
>
> acl s1_tls_connect at_step SslBump1
> acl s2_tls_client_hello at_step SslBump2
> acl s3_tls_server_hello at_step SslBump3
>
> acl tls_server_name_is_ip ssl::server_name_regex \
> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
You have a letter 'n' on the end there is that intentional?
>
> acl google ssl::server_name .google.com
> ssl_bump peek s1_tls_connect all
>
> acl nobumpSites ssl::server_name .wellsfargo.com
>
> ssl_bump splice s2_tls_client_hello nobumpSites
> ssl_bump splice s2_tls_client_hello google
>
> ssl_bump stare s2_tls_client_hello all
>
> ssl_bump bump s3_tls_server_hello all
>
> cache_peer forcesafesearch.google.com parent 443 0 \
> ssl name=GS originserver \
> no-query no-netdb-exchange no-digest
>
> acl search dstdomain .google.com
> cache_peer_access GS allow search
> cache_peer_access GS deny all
I think the fake-CONNECT Squid creates still has only raw-IP:port
details. And with splicing you dont have the decrypt to setup dstdomain
URL details.
For dstdomain you need to match what shows up in access.log as the URI
of these requests.
Does the "google" ACL work in cache_peer_access to use the SNI?
>
> sslproxy_cert_error allow tls_server_name_is_ip
>
> sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER
>
The flag DONT_VERIFY_PEER tells Squid not to even bother checking any
security on the outgoing server connection when going DIRECT (not to the
cache_peer). Making the sslproxy_cert_error rules useless.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
