Search squid archive

Re: SSL Bump - Splice - Chrome error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yuri thanks again.

I'm going to give it a try and post my results.

Alejandro

2016-01-05 11:57 GMT-03:00 Yuri Voinov <yvoinov@xxxxxxxxx>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
You can write it easy ;)

Please note:

1. AFAIK, splice rule must be preceded by bump rule in your config.
2. You can use ssl::server_name_regex or ssl::server_name for a decision
3. In most cases your users must have your cache CA's when cache cannot splice

Config snippet, for example, will looks like this:

# SSL bump rules 1
acl step1 at_step SslBump1
acl Splice_Only ssl::server_name_regex -i "/usr/local/squid/etc/google_sites"
ssl_bump splice Splice_Only
ssl_bump peek step1
ssl_bump bump all

Note: This snippet will bump all others, and tunnel Splice_Only acl sites.

# SSL bump rules 2
acl step1 at_step SslBump1
ssl_bump peek step1
acl Splice_Only ssl::server_name_regex -i "/usr/local/squid/etc/google_sites"
ssl_bump splice Splice_Only
ssl_bump bump all

Note: This snippet will peek all, splice Splice_Only acl, and bump all others.

Amos, Alex,

correct me if I somewhere wrong.

WBR, Yuri

PS. Also note: you must adjust https_port and/or other SSL options for harden your cache's TLS connections to avoid other Chrome security warnings. For example, avoid using SHA1 in your cache's CA, configure EDH ciphers for outgoing _and_ client-to-cache connections, suppress using SSLv2/SSLv3 (but keep in mind: you have _much_ old clients, like IM, which is hardcoded to use SSLv2/SSLv3 and you will got warnings/errors in your cache.log about it).

05.01.16 18:51, Alejandro Martinez пишет:

> I all
> I'm still lost, can I ask for a minimal working config splicing google.com
> sites ?
>
> I have made some additional checks (blocking QUIC), but with no lunk.
>
> I'm thinking creating an external helper that receives via ssl::server_name
> and make a decision there, but if there is a chance with a simple text file
> would appreciate that.
>
> Thanks.
>
>
> 2016-01-04 9:52 GMT-03:00 Alejandro Martinez <ajm.martinez@xxxxxxxxx>:
>
>> Thanks all for your help.
>>
>> Is there a minimal config example to see splicing correctly Google sites?
>>
>> It would be very helpful.
>> El 04/01/2016 09:28, "Amos Jeffries" <squid3@xxxxxxxxxxxxx> escribió:
>>
>>> On 4/01/2016 1:16 p.m., Alejandro Martinez wrote:
>>>> Thanks again Yuri.
>>>>
>>>> I have tried blocking udp protocol on port 80 and 443 but without luck.
>>>
>>> That does not help resolve the errors Chrome is displaying when using
>>> the proxy. It does help resolve the errors that happen by Chrome trying
>>> to bypass the proxy by using the proprietary QUIC protocol.
>>>
>>>>
>>>> Is it possible to make google sites work in transparent mode without
>>>> bumping ? only splicing ?
>>>>
>>>
>>> Of course. That is the purpose of splice. Bumping is optional.
>>>
>>> Amos
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWi9nXAAoJENNXIZxhPexG/FsH/21aB4HVW1VEBlHBpebgDllX
qNrMndyVNohyne9vloFOafl5Vs0IqhVQVMU1AJrLvXXNhTzRa2vSrud/xgi62AZ4
3C7V6OI+m+qfPXyjMjuyVZm2hkofUXBKn518ZzyjiV89Qzlr24FQv41v8j7ebYZo
Jn3YLk7FsSnZ/2q8zSERsXARr9OxBW6JJqlHDBF4FbUrDSRs67UAvJyrcDccNB1i
b539GdUHGGljftY2O1xpgSHBUelylWTWtfgE1qYKfTYoXqb3yhI3VkBx3+0AgCNY
3VJIwn5TU+j98rz3r7sd7re8KPtssY5jukVo1drLkSm9w1HOxL5kiLJ/MP+MnEg=
=S2qK
-----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux