Search squid archive

Re: SSL Peek and Splice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2015-10-01 at 13:26 +0200, Job wrote: 
Hello,

by reading the 3.5 Squid verson "Peek and splice" features:
http://wiki.squid-cache.org/Features/SslPeekAndSplice

i would like to ask you two questions, please:

1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump?
2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document

Thank you for your patience and many thanks!

Francesco
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

I've found that with peek/splice, instead of stare/bump, I did not need to install the certificate on the end device (daughter got a new phone and I forgot to install it...still worked anyway...cool).

Config below for exactly what you're wanting...change netblocks to what you're using and change cert locations and what not.  Before just doing a copy/paste and go, I would recommend reading the docs to get a better understanding of what the below directives mean.  The file http_url.txt is regex so it will have entries like \.apple\.com.

acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"

http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports
http_access allow allowed_http_sites
http_access deny all

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek all
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all

sslproxy_capath /etc/ssl/certs

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5

http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh

access_log syslog:daemon.info mine

refresh_pattern -i (cgi-bin|\?) 0       0%      0
refresh_pattern .               0       20%     4320

coredump_dir /opt/var

James 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux