Re: Squid 3.5.19 how to find banking server name for no bump

[Stanford Prescott <stan.prescott@xxxxxxxxx>]

I forgot to mention, I am using squid 3.5.19

On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott <stan.prescott@xxxxxxxxx> wrote:

When I enter .wellsfargo.com in

acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3

acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n

acl tls_allowed_hsts ssl::server_name .akamaihd.net

acl tls_server_is_bank ssl::server_name .wellsfargo.com

acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

ssl_bump peek tls_s1_connect all

ssl_bump splice tls_s2_client_hello tls_to_splice

ssl_bump stare tls_s2_client_hello all

ssl_bump bump tls_s3_server_hello all

it appears that the banking site is still getting bumped i.e.like in this access.log snippet

1467156887.817    257 10.40.40.100 TAG_NONE/200 0 CONNECT 54.149.224.177:443 - ORIGINAL_DST/54.149.224.177 -

1467156888.008     94 10.40.40.100 TCP_MISS/200 213 POST https://tiles.services.mozilla.com/v2/links/view - ORIGINAL_DST/54.149.224.177 application/json

1467156893.774     75 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156893.847    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156893.875    120 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 - ORIGINAL_DST/172.230.221.75 -

1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 - ORIGINAL_DST/172.230.221.75 -

1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 - ORIGINAL_DST/172.230.221.75 -

1467156893.875    112 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156894.109    306 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156894.109    308 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 - ORIGINAL_DST/172.230.102.185 -

1467156895.488     72 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.98:443 - ORIGINAL_DST/216.58.194.98 -

1467156895.513     98 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.70:443 - ORIGINAL_DST/216.58.194.70 -

1467156895.648     66 10.40.40.100 TCP_MISS/302 739 GET https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid= - ORIGINAL_DST/216.58.194.98 image/gif

1467156895.664     82 10.40.40.100 TCP_MISS/200 649 GET https://ad.doubleclick.net/activity;src="">? - ORIGINAL_DST/216.58.194.70 image/gif

1467156895.920    250 10.40.40.100 TAG_NONE/200 0 CONNECT 24.155.92.60:443 - ORIGINAL_DST/24.155.92.60 -

1467156896.061     79 10.40.40.100 TCP_MISS/200 503 GET https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630 - ORIGINAL_DST/24.155.92.60 image/gif

1467156899.837   5727 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 - HIER_NONE/- -

1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 - ORIGINAL_DST/159.45.66.156 -

1467156899.837   5679 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 - HIER_NONE/- -

1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 - ORIGINAL_DST/159.45.66.156 -

1467156899.838   5680 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 - HIER_NONE/- -

1467156899.838   5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 - ORIGINAL_DST/159.45.66.156 -

1467156900.836   5421 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.170.145:443 - HIER_NONE/- -

1467156900.836   5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT www.wellsfargo.com:443 - ORIGINAL_DST/159.45.170.145 -

1467156900.837   5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.2.142:443 - HIER_NONE/- -

1467156900.837   5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT static.wellsfargo.com:443 - ORIGINAL_DST/159.45.2.142 -

1467156900.838   5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.170.145:443 - HIER_NONE/- -

1467156900.838   5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT www.wellsfargo.com:443 - ORIGINAL_DST/159.45.170.145 -

If I disable sslbumping then the bank site does not get bumped, of course.

1467157349.321    230 10.40.40.100 TCP_MISS/301 243 GET http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 -

Here is my squid.conf with bumping enabled.

visible_hostname smoothwall

# Uncomment the following to send debug info to /var/log/squid/cache.log

#debug_options ALL,1 33,2 28,9

# ACCESS CONTROLS

# ----------------------------------------------------------------

acl localhostgreen src 10.40.40.1

acl localnetgreen src 10.40.40.0/24

acl SWE_subnets          src "/var/smoothwall/mods/proxy/acls/src_subnets.acl"

acl SSL_ports port 445 443 441 563

acl Safe_ports port 80     # http

acl Safe_ports port 81     # smoothwall http

acl Safe_ports port 21     # ftp 

acl Safe_ports port 445 443 441 563 # https, snews

acl Safe_ports port 70     # gopher

acl Safe_ports port 210       # wais  

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280       # http-mgmt

acl Safe_ports port 488       # gss-http 

acl Safe_ports port 591       # filemaker

acl Safe_ports port 777       # multiling http

acl CONNECT method CONNECT

# TAG: http_access

# ----------------------------------------------------------------

http_access allow SWE_subnets

http_access allow localhost

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnetgreen

http_access allow CONNECT localnetgreen

http_access allow localhostgreen

http_access allow CONNECT localhostgreen

# http_port and https_port

#----------------------------------------------------------------------------

# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.

#----------------------------------------------------------------------------

http_port 3127

http_port 10.40.40.1:800 intercept

https_port 10.40.40.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem

http_port 127.0.0.1:800 intercept

sslproxy_session_cache_size 4 MB

ssl_bump none localhostgreen

sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression

sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3

acl tls_allowed_hsts ssl::server_name .akamaihd.net

acl tls_server_is_bank ssl::server_name .wellsfargo.com

acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

ssl_bump peek tls_s1_connect all

ssl_bump splice tls_s2_client_hello tls_to_splice

ssl_bump stare tls_s2_client_hello all

ssl_bump bump tls_s3_server_hello all

sslproxy_cert_error deny all

sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB

sslcrtd_children 5

http_access deny all

cache_replacement_policy heap GDSF

memory_replacement_policy heap GDSF

# CACHE OPTIONS

# ----------------------------------------------------------------------------

cache_effective_user squid

cache_effective_group squid

cache_swap_high 100

cache_swap_low 80

cache_access_log stdio:/var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_mem 64 MB

cache_dir aufs /var/spool/squid/cache 1024 16 256

maximum_object_size 33 MB

minimum_object_size 0 KB

request_body_max_size 0 KB

# OTHER OPTIONS

# ----------------------------------------------------------------------------

#via off

forwarded_for off

pid_filename /var/run/squid.pid

shutdown_lifetime 10 seconds

#icp_port 3130

half_closed_clients off

umask 022

logfile_rotate 0

strip_query_terms off

On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

On 29/06/2016 2:02 a.m., Stanford Prescott wrote:
> I have the proper peek and splice and bump configuration of acls setup in
> my squid.conf file for no-bump of some web sites. I need help how to enter
> the banking hosts and or server names in a way that the peek and splice
> configuration will determine it is a banking site that I don't want bumped.
>
> For example, if a user enters www.wellsfargo.com for online banking my
> current config still bumps wellsfargo.com. What would I need to enter for
> wellsfargo.com so that banking server will not be bumped?
>

Depends on what you mean by "enter".

Are you asking for the ACL value?
  .wellfargo.com

Are you asking for the ACL definition?
 acl banks ssl::server_name .wellsfargo.com

Or are you asking for a whole SSL-Bump configuration example?
 <http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users