Search squid archive

Re: Best way to prevent squid from bumping CONNECTs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 30, 2020 at 04:05:43PM -0400, Alex Rousskov wrote:
> On 4/30/20 12:10 PM, Scott wrote:
> 
> >> * For http_port configured with an ssl-bump flag, HTTP CONNECT tunnels
> >> are sent to the SslBump code.
> >>
> >> * For https_port configured with an ssl-bump flag, all traffic is sent
> >> to the SslBump code (by faking a corresponding HTTP CONNECT request).
> 
> 
> > These `fake' CONNECT requests I assume only contain the IP address of the 
> > upstream server, not the hostname, as intercepted SSL connections are TCP 
> > OPENs.
> 
> Modern Squid replaces TCP-derived destination IP address with TLS
> SNI-derived domain name when generating the second fake CONNECT request.
> The second CONNECT is generated during SslBump step2, after parsing TLS
> client handshake.
> 
> 
> > Am I right then in saying that using ssl::server_name is useless for bumped 
> > intercepted connections?
> 
> It may be useful for ACLs checked during SslBump step2 (because it will
> check the TLS client SNI-derived domain name) and during step3 (when it
> will check TLS server certificate-derived CN and SubjectAltName).

acl tcp_open_connect_sslbump at_step SslBump1
acl ssl_splice_sni ssl::server_name "/usr/local/etc/squid/acls/splice_sni"
acl guest_net_src src x.y.z.0/24

ssl_bump peek tcp_open_connect_sslbump
ssl_bump splice ssl_splice_sni
ssl_bump bump guest_net_src
ssl_bump splice

where I splice instead of bump for destinations that are often used with 
certificate pinning software (.apple.com with iOS for example).

https://wiki.squid-cache.org/Features/SslPeekAndSplice says "At no point 
during ssl_bump processing will dstdomain ACL work".

Does that also imply that `ssl::server_name' won't work (or is not required) 
for `http_access' statements?

I have config like this:

acl no_proxy_dstdomain dstdomain "/usr/local/etc/squid/acls/no_proxy_dstdomain"
http_access deny no_proxy_dstdomain
acl no_proxy_sni ssl::server_name "/usr/local/etc/squid/acls/no_proxy_dstdomain"
http_access deny no_proxy_sni

Are the last two lines redundant?
Or are they required for spliced connections?
Or should I just convert those lines into ssl_bump terminate no_proxy_sni ?

And finally, I want to use a different outgoing tcp address for intercepted 
connections.  What's the best ACL to match those?  Or should I just match 
explicit proxy connections by port? (ie !myport 3128)

Thanks for your help,
Scott

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux