Re: HTTPS Content Filtering without de-crypting traffic?

James Lay <jlay@xxxxxxxxxxxxxxxxxxx> · Wed, 27 Jan 2016 09:33:16 -0700

On 2016-01-26 15:59, Panda Admin wrote:

Hello,

I attempting to terminate https traffic based on ACLs using ssl_bumping WITHOUT de-crypting the traffic in intercept/transparent mode.  Has anyone got this to work before? I have copied my configuration and what my iptables nat rules look like. 

 I am using squid 3.5.13 with the following compile options:

Squid Cache: Version 3.5.12
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--datadir=/share/squid3' '--sysconfdir=/etc/squid3' '--with-default-user=proxy' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-openssl' '-enable-ssl-crtd' '--enable-icap-client' '--with-large-files' --enable-ltdl-convenience

squid.conf:

acl social dstdomain .google.com .facebook.com .reddit.com
acl step1 at_step SslBump1
acl step2 at_step SslBump2
ssl_bump stare step2 all
ssl_bump terminate social
acl localnet src 192.168.50.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128 transparent
https_port 3129 intercept ssl-bump cert=/etc/squid3/ssl_cert/squidSSL.pem
cache_dir ufs /cache/squid3/spool 100 16 256
access_log syslog:local5.info squid
coredump_dir /var/spool/squid3
url_rewrite_program /usr/bin/squidGuard -c /cache/config/daemons/squidguard/squidGuard.conf
url_rewrite_children 15
url_rewrite_access allow all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all

iptables -L -v -t nat(only relevant rules):

Chain PREROUTING (policy ACCEPT 1083 packets, 233K bytes)
 pkts bytes target     prot opt in     out     source               destination             
  157  9420 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:https to:192.168.11.1:3129

Chain PREROUTING-daemon-tcp (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  443 26580 DNAT       tcp  --  eth1   any     anywhere             anywhere             tcp dpt:http /* 7:PFD::CF-3128 */ to:192.168.11.1:3128
    0     0 DNAT       tcp  --  eth2   any     anywhere             anywhere             tcp dpt:http /* 8:PFD::CF-3128 */ to:172.17.0.1:3128

Right now I can't get it to terminate ANY https traffic. All it does is allow it through.  
Any and all help would be greatly appreciated!

~ Extremely Confused Squid User ~

_______________________________________________
 squid-users mailing list
 squid-users@xxxxxxxxxxxxxxxxxxxxx
 http://lists.squid-cache.org/listinfo/squid-users

Read:
http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389
I'm doing exactly what you're wanting.
James

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users