Search squid archive

Re: Squid 3.5.19 how to find banking server name for no bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When I enter .wellsfargo.com in

acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
acl tls_allowed_hsts ssl::server_name .akamaihd.net
acl tls_server_is_bank ssl::server_name .wellsfargo.com
acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

ssl_bump peek tls_s1_connect all
ssl_bump splice tls_s2_client_hello tls_to_splice
ssl_bump stare tls_s2_client_hello all
ssl_bump bump tls_s3_server_hello all

it appears that the banking site is still getting bumped i.e.like in this access.log snippet

1467156887.817    257 10.40.40.100 TAG_NONE/200 0 CONNECT 54.149.224.177:443 - ORIGINAL_DST/54.149.224.177 -
1467156888.008     94 10.40.40.100 TCP_MISS/200 213 POST https://tiles.services.mozilla.com/v2/links/view - ORIGINAL_DST/54.149.224.177 application/json
1467156893.774     75 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156893.847    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156893.875    120 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 - ORIGINAL_DST/172.230.221.75 -
1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 - ORIGINAL_DST/172.230.221.75 -
1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 - ORIGINAL_DST/172.230.221.75 -
1467156893.875    112 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156894.109    306 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156894.109    308 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -
1467156895.488     72 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.98:443 - ORIGINAL_DST/216.58.194.98 -
1467156895.513     98 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.70:443 - ORIGINAL_DST/216.58.194.70 -
1467156895.664     82 10.40.40.100 TCP_MISS/200 649 GET https://ad.doubleclick.net/activity;src="">? - ORIGINAL_DST/216.58.194.70 image/gif
1467156895.920    250 10.40.40.100 TAG_NONE/200 0 CONNECT 24.155.92.60:443 - ORIGINAL_DST/24.155.92.60 -
1467156896.061     79 10.40.40.100 TCP_MISS/200 503 GET https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630 - ORIGINAL_DST/24.155.92.60 image/gif
1467156899.837   5727 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 - HIER_NONE/- -
1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 - ORIGINAL_DST/159.45.66.156 -
1467156899.837   5679 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 - HIER_NONE/- -
1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 - ORIGINAL_DST/159.45.66.156 -
1467156899.838   5680 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 - HIER_NONE/- -
1467156899.838   5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 - ORIGINAL_DST/159.45.66.156 -
1467156900.836   5421 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.170.145:443 - HIER_NONE/- -
1467156900.836   5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT www.wellsfargo.com:443 - ORIGINAL_DST/159.45.170.145 -
1467156900.837   5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.2.142:443 - HIER_NONE/- -
1467156900.837   5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT static.wellsfargo.com:443 - ORIGINAL_DST/159.45.2.142 -
1467156900.838   5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.170.145:443 - HIER_NONE/- -
1467156900.838   5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT www.wellsfargo.com:443 - ORIGINAL_DST/159.45.170.145 -

If I disable sslbumping then the bank site does not get bumped, of course.

1467157349.321    230 10.40.40.100 TCP_MISS/301 243 GET http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 -

Here is my squid.conf with bumping enabled.

visible_hostname smoothwall

# Uncomment the following to send debug info to /var/log/squid/cache.log
#debug_options ALL,1 33,2 28,9

# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.40.40.1
acl localnetgreen src 10.40.40.0/24
acl SWE_subnets          src "/var/smoothwall/mods/proxy/acls/src_subnets.acl"

acl SSL_ports port 445 443 441 563
acl Safe_ports port 80     # http
acl Safe_ports port 81     # smoothwall http
acl Safe_ports port 21     # ftp 
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70     # gopher
acl Safe_ports port 210       # wais  
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http 
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http

acl CONNECT method CONNECT

# TAG: http_access
# ----------------------------------------------------------------

http_access allow SWE_subnets


http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnetgreen
http_access allow CONNECT localnetgreen

http_access allow localhostgreen
http_access allow CONNECT localhostgreen

# http_port and https_port
#----------------------------------------------------------------------------

# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127

http_port 10.40.40.1:800 intercept
https_port 10.40.40.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem


http_port 127.0.0.1:800 intercept

sslproxy_session_cache_size 4 MB

ssl_bump none localhostgreen

sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

acl tls_allowed_hsts ssl::server_name .akamaihd.net
acl tls_server_is_bank ssl::server_name .wellsfargo.com
acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

ssl_bump peek tls_s1_connect all
ssl_bump splice tls_s2_client_hello tls_to_splice
ssl_bump stare tls_s2_client_hello all
ssl_bump bump tls_s3_server_hello all

sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5

http_access deny all

cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF

# CACHE OPTIONS
# ----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid

cache_swap_high 100
cache_swap_low 80

cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB

cache_dir aufs /var/spool/squid/cache 1024 16 256

maximum_object_size 33 MB

minimum_object_size 0 KB


request_body_max_size 0 KB

# OTHER OPTIONS
# ----------------------------------------------------------------------------
#via off
forwarded_for off

pid_filename /var/run/squid.pid

shutdown_lifetime 10 seconds
#icp_port 3130

half_closed_clients off

umask 022

logfile_rotate 0

strip_query_terms off





On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 29/06/2016 2:02 a.m., Stanford Prescott wrote:
> I have the proper peek and splice and bump configuration of acls setup in
> my squid.conf file for no-bump of some web sites. I need help how to enter
> the banking hosts and or server names in a way that the peek and splice
> configuration will determine it is a banking site that I don't want bumped.
>
> For example, if a user enters www.wellsfargo.com for online banking my
> current config still bumps wellsfargo.com. What would I need to enter for
> wellsfargo.com so that banking server will not be bumped?
>

Depends on what you mean by "enter".

Are you asking for the ACL value?
  .wellfargo.com

Are you asking for the ACL definition?
 acl banks ssl::server_name .wellsfargo.com

Or are you asking for a whole SSL-Bump configuration example?
 <http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux