Search squid archive

Re: Squid Peek and splice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

Below is my squid configuration 

Squid : 3.5.13
OS ubuntu 14.04


http_port 3128
http_port 3127 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name  "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 16 startup=1 idle=1
sslproxy_capath /etc/ssl/certs
sslproxy_cert_error allow all
ssl_unclean_shutdown on

I want to block facebook.com so I have added url in .txt file.

Its not blocking anything.

Please let me know what I have to change in this configuration

I getting below logs in squid


1463478160.585    551 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- -
1463478160.585    550 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- -
1463478161.147    562 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- -
1463478161.147    561 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- -
1463478163.982    553 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- -
1463478163.982    552 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- -
1463478163.994    565 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- -
1463478163.994    564 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- -
1463478184.338 182900 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.137.175:443 - HIER_NONE/- -
1463478184.338 182898 192.168.0.66 TCP_TUNNEL/200 6040 CONNECT geo.query.yahoo.com:443 - ORIGINAL_DST/106.10.137.175 -


1463478194.373     61 192.168.0.66 TCP_MISS/204 233 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.163 -
1463478209.166 240232 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.239:443 - HIER_NONE/- -
1463478209.166 240231 192.168.0.66 TCP_TUNNEL/200 5603 CONNECT translate.googleapis.com:443 - ORIGINAL_DST/74.125.200.239 -
1463478209.200 240267 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 - HIER_NONE/- -
1463478209.200 240266 192.168.0.66 TCP_TUNNEL/200 4962 CONNECT clients4.google.com:443 - ORIGINAL_DST/216.58.199.142 -
1463478213.443 181611 192.168.0.66 TAG_NONE/200 0 CONNECT 31.13.79.246:443 - HIER_NONE/- -
1463478213.443 181611 192.168.0.66 TCP_TUNNEL/200 8547 CONNECT graph.facebook.com:443 - ORIGINAL_DST/31.13.79.246 -
1463478224.432     33 192.168.0.66 TCP_MISS/204 233 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.199.131 -
1463478231.727    555 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- -
1463478231.727    555 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- -
1463478232.311    572 192.168.0.66 TAG_NONE/200 0 CONNECT 107.170.47.181:443 - HIER_NONE/- -
1463478232.311    571 192.168.0.66 TAG_NONE/503 0 CONNECT freevideodownloader.co:443 - HIER_NONE/- -
1463478246.369  13073 192.168.0.66 TAG_NONE/200 0 CONNECT 74.125.200.189:443 - HIER_NONE/- -
1463478246.369  13072 192.168.0.66 TCP_TUNNEL/200 4546 CONNECT 0.client-channel.google.com:443 - ORIGINAL_DST/74.125.200.189 -
1463478246.369  13806 192.168.0.66 TAG_NONE/200 0 CONNECT 216.58.199.142:443 - HIER_NONE/- -
1463478246.369  13805 192.168.0.66 TCP_TUNNEL/200 4604 CONNECT clients5.google.com:443 - ORIGINAL_DST/216.58.199.142 -
1463478265.935 119576 192.168.0.66 TAG_NONE/200 0 CONNECT 106.10.199.11:443 - HIER_NONE/- -
1463478265.935 119576 192.168.0.66 TCP_TUNNEL/200 8586 CONNECT geo.yahoo.com:443 - ORIGINAL_DST/106.10.199.11 -
1463478327.555     41 192.168.0.66 TCP_MISS/200 2323 GET http://www.gstatic.com/chrome/crlset/3006/crl-set-delta-3005-260733898557562236.crx.data - ORIGINAL_DST/216.58.220.3 text/html


On Fri, May 13, 2016 at 4:37 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 13/05/2016 5:58 p.m., Reet Vyas wrote:
> Hi Amos/Yuri,
>
> Currently my squid is configured with ssl bump, now I want to use peek and
> splice. I read in some forum that we don't need to install certificate on
> client's machine.
>

Splice does not require it. But what you want to do with Squid may
prevent splice being used. So "it depends" ...


> As I have already asked before in mailing list to install SSL certificate
> on Android devices, which is not working.
>
> So my question is If I want to use peek and splice for example I want https
> filtering for

 ... on how you define "filter".

> proxy websites

Not sure what you mean by that term.

> and I dont want ssl for bank websites and
> facebook youtube and gmail. how will it work? Do i need to install SSL
> certifcate on client or not, I am bit confused with peek and splice thing.

When you intercept port 443 normally only the raw-IP is available from
TCP. Peek allows Squid to get the server name the client was trying to
connect to out of the TLS. So that Squid can handle the intercepted
connection as if it had received a CONNECT message (which usually have
server/domain names).

Splicing can be thought of as handling a intercepted port 443 connection
as if it were a CONNECT message, with no decryption. It is treated as a
single "thing", with some limited control possibilities.


So...

In order to bump (decrypt) some traffic and splice (not decrypt) other
traffic you need to have a way to decide which type is being dealt with.
That is the peek or stare actions - to get data out of the TLS handshake
for you to use in ACL decisions.

You might now want to re-read the SslPeekAndSplice documentation again
to see if you understand it better. I skipped a lot of important details
to make the description clear.


>
> Please let me know is that possible to configure squid 3.5.19 in such a way
> so that it will bump  only proxy websites not FB youtube etc.
>

Ah. So what are these "proxy websites" you speak of ?

One thing you need to be clear about is that once the TCP packets enter
Squid they *have* to be "proxied". There is no way to undo TCP accept()
and read() operations. But there are many ways of handling them that
Squid can do.

PS. you could post your existing config so we can suggest alterations to
it that will lead to it doing your new policy. That can be another way
to learn how the relevant-to-you part of the features work without
diving into the full complexity of what *might* be doable.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux