|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Not sure. I'm only bump Google for caching static content (and some dynamic). In my setup I have much google-related traffic. 04.01.16 6:16, Alejandro Martinez пишет: > Thanks again Yuri. > > I have tried blocking udp protocol on port 80 and 443 but without luck. > > Is it possible to make google sites work in transparent mode without > bumping ? only splicing ? > > Thanks > > > 2016-01-03 10:11 GMT-03:00 Alejandro Martinez <ajm.martinez@xxxxxxxxx>: > >> Sorry my corrector. >> I want to say that i am going to check blocking quic proto. >> >> Sorry >> El 03/01/2016 10:10, "Alejandro Martinez" <ajm.martinez@xxxxxxxxx> >> escribió: >> >>> Yuri >>> >>> Thanks. >>> >>> I amor.gringaus to checkpoint blocking quic. >>> >>> I cant put ca cert into clients besarse I dont have access but I do not >>> want to bump, Just allow almost everything and deny only a few sites. >>> >>> I Will tell you my result. >>> El 03/01/2016 06:22, "Yuri Voinov" <yvoinov@xxxxxxxxx> escribió: >>> >>>> Sure, >>>> >>>> my config is quite different. >>>> >>>> Also - did you put cache CA cert into clients? And - did you block QUIC >>>> in your infrastructure? As described here: >>>> >>>> http://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol >>>> ? >>>> >>>> 03.01.16 8:28, Alejandro Martinez пишет: >>>> >>>> Yuri >>>> >>>> Do you haber something diferent in your config? >>>> >>>> Thanks >>>> El 02/01/2016 17:18, "Yuri Voinov" < <yvoinov@xxxxxxxxx> >>>> yvoinov@xxxxxxxxx> escribió: >>>> >>>>> > Don't think so. > > Google's HTTPS's works for me without any alerts in Chrome :) With > bump! ;) > > 03.01.16 2:12, Nir Krakowski пишет: > >>>>>> Its called certificate pinning: > > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > Nir. > > On > Sat, Jan 2, 2016 at 9:11 PM, Alejandro Martinez > <ajm.martinez@xxxxxxxxx> <ajm.martinez@xxxxxxxxx> > wrote: > >> Hi > all, >> >> I'm using squid 3.5.12. >> >> This is my relevant config: >> >> > *http_port 881* >> *http_port 880 intercept* >> *https_port 843 intercept > ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB > cert=/usr/local/squid/etc/cert.pem key=* >> > */usr/local/squid/etc**/cert.pem options=NO_SSLv3:NO_SSLv2 >> > cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH* > >>>>>>> *sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s * >> > */usr/local/squid/etc/**ssl/certs -M 4MB sslcrtd_children 8 startup=1 >> > idle=1* >> >> *#### Denied Users* >> *acl equipos_denegados src > "**/usr/local/squid/etc**/equipos_denegados"* >> *http_access deny > equipos_denegados* >> *deny_info DENY equipos_denegados* >> >> *#### > Allowed users* >> *acl equipos_permitidos src > "/**usr/local/squid/etc**/equipos_permitidos"* >> *http_access allow > equipos_permitidos* >> *####* >> >> *#### Denied Sites* >> *acl > sitios_denegados dstdomain "**/usr/local/squid/etc* >> */sitiosdenegados"* > >>>>>>> *http_access deny sitios_denegados* >> *####* >> >> *#### Block HTTPS* > >>>>>>> *acl blockhttps ssl::server_name "/**usr/local/squid/etc* >> > */sitiosdenegados"* >> *ssl_bump terminate blockhttps* >> *ssl_bump splice > equipos_permitidos* >> *ssl_bump peek all* >> *ssl_bump splice all* >> > *####* >> >> *sslproxy_cert_error allow all* >> *sslproxy_flags > DONT_VERIFY_PEER* >> *sslproxy_options NO_SSLv3:NO_SSLv2* >> >> >> > Basically I'm using squid to allow everything and deniy some users (hosts) > >>>>>>> and some sites (http and https). >> >> If I use IE or Firefox (Win/Lin), > everything works great, if I access a >> site via HTTP the user see a > message and if he access via HTTPS the >> conecction is terminated and > there is an error on the browser. >> >> But, If I access any google site > using chrome (windows / linux) the sites >> are getting bumped ( > google.com, google.com.X youtube.com, etc) >> >> The browser complains > with a "Your conecction is not private" and the >> certificate is my own > certificate. >> >> I'm missing something ? >> >> I only what to splice > everythng. >> >> Thanks >> >> >> > _______________________________________________ >> squid-users mailing list > >>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >> > http://lists.squid-cache.org/listinfo/squid-users >> >> > > > > > _______________________________________________ > squid-users mailing list > >>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx > > http://lists.squid-cache.org/listinfo/squid-users > >>>>> >>>>> >>>>> _______________________________________________ >>>>> squid-users mailing list >>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>> >>>>> >>>> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWilO6AAoJENNXIZxhPexG4CQH/1LD3i6xIKQzenEOBB/1crBV LfjDk2owqhX8QLyfCVaw56e1Km0SCIS7lTuAsBS9gDZLcu7Gnw1a1/zp8O+TWHbV vQhbcrN71oIceuHJ3EKVB+a7lDJU1YpyRwQZErE3cjnpLzV1vVAr2LD8HUpAOvZd HVnTQC2gf81jYxnsPNfcIt3a7qnmEec4fenTChJGEsfjEO1RznRjZtoB/VqSBxcO WjRtVTSWiF2tLXRQ8hfwZYmBj7EMFNPFTQYbphE1Ujz+fCYPxR/ncNxcOKdEZCAX Mu9CmmQ+q8HWg3GSBULoq4UkR28gVgRbDag3pWdKjGk8mQOtwjgW5u1c7tUzl4A= =tvLZ -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
