It's really not much more than what I first posted (I can't send my config - it's pretty specific to our site - you'll have to figure out the standard stuff yourself)
So this will make a squid-3.5 server capable of doing "transparent HTTPS" without any fiddling with the transactions. Of course it assumes you already know how to redirect port 443 traffic onto your proxy, and know how to reconfigure the OS to support that too (ie same as transparent HTTP on port 80)
acl BlacklistedHTTPSsites dstdomain "/etc/squid/acl-BlacklistedHTTPSsites.txt"
http_access deny BlacklistedHTTPSsites
https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
sslcrtd_children 32 startup=15 idle=5
acl SSL_https port 443
ssl_bump splice SSL_https
On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <vitoantonio.smaldino@xxxxxxxxxxxxx> wrote:
Hi all,great, i'm just searching for this. Jason can you kindly post the whole squid.conf?ThanksV2016-03-20 22:29 GMT+01:00 Jason Haar <jason_haar@xxxxxxxxxxx>:_______________________________________________Hi thereI'm wanting to use tls intercept to just log (well OK, and potentially block) HTTPS sites based on hostnames (from SNI), but have had problems even in peek-and-splice mode. So I'm willing to compromise and instead just intercept that traffic, log it, block on IP addresses if need be, and don't use ssl-bump beyond that.So far the following seems to work perfectly, can someone confirm this is "supported" - ie that I'm not relying on some bug that might get fixed later? ;-)sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MBsslcrtd_children 32 startup=15 idle=5acl SSL_https port 443ssl_bump splice SSL_httpsacl BlacklistedHTTPSsites dstdomain "/etc/squid/acl-BlacklistedHTTPSsites.txt"http_access deny BlacklistedHTTPSsitesThe "bug" comment comes down to how acl seems to work. I half-expected the above not to work - but it does. It would appear squid will treat an intercept's dst IP as the "dns name" as that's all it's got - so "dstdomain" works fine for both CONNECT and intercept IFF the acl contains IP addressesI was hoping I wouldn't need ssl-bump at all, but you need squid to be running a https_port, and for it to support "intercept", and to do that squid insists on "ssl-bump" too - although that seems likely was a programmer assumption that didn't include people like me doing mad things like this? :-). I'd also guess I don't need 32 children/etc - 1 would suffice as it's never used?So the end result is that all CONNECT and/or intercept SSL/TLS traffic is supported via the proxy, with all TLS security decisions residing on the client. I get my logs, and if I want to block some known bad IP address, I can: CONNECT causes a 403 HTTP error page and intercept basically ditches the tcp/443 connection - which is as good as it gets without getting into the wonderful world of real "bump"--CheersJason HaarInformation Security Manager, Trimble Navigation Ltd.Phone: +1 408 481 8171PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users--Vito A. Smaldino
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
