Alex/Eliezer, Thanks for you earlier comments and apologies for not responding (and saying thank you previously, squid got back-burnered unfortunately) Getting logging working with transparent proxying was my initial step prior to looking at restricting specific sites via either ACLs or a URL rewriter (ufdbGuard, SquidGuard etc - although I don’t think SquidGuard works with SNI) To reiterate, my desire is to have Squid running and capable of blocking access to http and https sites primarily based on the server name requested by the client (so no need to go beyond a peek) For HTTP requests this is obviously out of the box stuff but for HTTPS it seems more complicated. From everything I’ve read, it looks like the following ssl_bump lines should provide access to the SNI server name requested by the client. ssl_bump peek all ssl_bump splice all I can’t help thinking that I must have something wrong with my config: - Log output correctly shows - SNI server name via ssl::>sni - Bump mode via ssl::bump_mode - Implies my ssl_bump config is working - Restricting access via a squid ACL doesn’t use the SNI server name for an HTTPS request - Works fine for HTTP Example ACL: acl blocked_sites ssl::server_name .apple.com http_access deny blocked_sites Example access log output: %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %ssl::>sni %ssl::bump_mode %[un %Sh/%<a %mt 1485468402.401 575 10.1.0.1 TCP_TUNNEL/200 592 CONNECT 23.63.86.92:443 store.apple.com peek - ORIGINAL_DST/23.63.86.92 - 1485469054.633 51 10.1.0.1 TCP_DENIED/403 3962 GET http://store.apple.com/ - - - HIER_NONE/- text/html Example cache log output: 2017/01/26 21:54:21.745 kid1| 28,5| Acl.cc(138) matches: checking blocked_sites 2017/01/26 21:54:21.745 kid1| 28,3| ServerName.cc(42) match: checking '23.63.86.92' 2017/01/26 21:54:21.745 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:23.63.86.92 <> .apple.com 2017/01/26 21:54:21.745 kid1| 28,3| ServerName.cc(47) match: '23.63.86.92' NOT found 2017/01/26 21:54:21.745 kid1| 28,3| ServerName.cc(42) match: checking 'none' 2017/01/26 21:54:21.745 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <> .apple.com 2017/01/26 21:54:21.745 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found 2017/01/26 21:54:21.745 kid1| 28,3| Acl.cc(158) matches: checked: blocked_sites = 0 2017/01/26 21:54:21.745 kid1| 28,3| Acl.cc(158) matches: checked: http_access#5 = 0 2017/01/26 21:54:21.745 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned squid -v output: Squid Cache: Version 3.5.20 Service Name: squid configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-icap-client' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' Is there anything obvious that I am missing as I’m a bit stumped now. Thanks again Mark
I think these are hangovers from earlier syntax (ssl_bump server-first all) which shouldn't be required under 3.5. Please note that the depricated server-first is a "bumping" (not splicing!) action, and you may see a lot more information in the bumping-Squid logs, naturally. Alex.
|
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users