Search squid archive

Re: SSL-BUMP 5.0.4 not working as expected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/01/21 9:08 am, ngtech1ltd wrote:

I am trying to configure 5.0.4 with sslbump to bump only a set of domains.

I am unsure about the right way it should be done.

The basic constrains are POLICY vs a set of rules.

  * Should I bump all connections with exceptions?
  * Should I bump non else then the exceptions?
  * Based on server_name regex and/or server_name domains



In regards to policy:
Security best-practice is to reject as early as possible. So for transactions that early bump steps are indicating going to forbidden places should reject immediately on that detection.
For transactions which appear to be not-bad, there is no "best" way. That depends on your specific setup needs and the side-effects of making a wrong deision.
I prefer to advise bump'ing at step 3 where the most information is available for checks and correction of client claims. 


...

I have tried the next set of rules:

## START

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3
acl NoBump_server_regex ssl::server_name_regex -i /etc/squid/server-regex.nobump 

acl NoBump_server_name ssl::server_name /etc/squid/server-name.nobump
acl NoBump_ALL_regex ssl::server_name_regex -i /etc/squid/all_server-regex.nobump
acl MustBump_server_regex ssl::server_name_regex -i /etc/squid/must_server-regex.bump 

acl MustBump_server_name ssl::server_name /etc/squid/must_server-name.bump

ssl_bump peek step1

ssl_bump splice NoBump_server_regex

ssl_bump splice NoBump_server_name

ssl_bump bump MustBump_server_regex

ssl_bump bump MustBump_server_name

ssl_bump splice NoBump_ALL_regex

ssl_bump bump all

##END

But the BoBump are not applied.
I tried to understand why squid is bumping despite the explicit splice action.
Note that all these splice/bump rules are being applied at step2. There is no step3 taking place. 


Does your actual config have the required "" marks around those filenames?
Without that all your ACLs will non-match (SNI vs name of the file) and the last "bump all" will be applied below. 


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux