Search squid archive

Re: no ssl intercept - question how it works

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Great thanks Amos as always

So shall I leave this ssl bump lines in

ssl_bump splice NoSSLIntercept
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all

And delete this one

acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all

As your right there both the same, I didn't spot that

My understanding is the "no ssl intercept", squid doesn't even bother to inspect the packets ie man in the middle and just literally passes it straight to the client

Is that right?

Thanks,
Rob 


On Wed, 11 Aug 2021, 06:48 Amos Jeffries, <squid3@xxxxxxxxxxxxx> wrote:
On 11/08/21 4:56 am, robert k Wild wrote:
> hi all,
>
> before i continue, so sorry for the stupid question but trying to learn
>
> basically heres my squid.conf
>
> #NO SSL Interception
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name
> "/usr/local/squid/etc/nointerceptssl.txt"
> ssl_bump splice NoSSLIntercept
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
>
> #SSL Bump
> http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB

Note:

  You already have ssl_bump rules above which either splice or bump at
step 1. These following ssl_bump rule either never get reached, or are
already known impossible to perform if they do get reached.


> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> #
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
>
> #deny MIME types
> acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
>
> http_reply_access allow special_url
> http_reply_access deny mimetype
> #
> #HTTP_HTTPS whitelist websites
> acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
>
> #HTTP_HTTPS whitelist websites regex
> acl whitelistreg ssl::server_name_regex
> "/usr/local/squid/etc/urlregwhite.txt"
>
> http_access allow activation whitelist
> http_access allow activation whitelistreg
> http_access deny all
>
> in my urlwhitelist is this
>
...
> in my nointerceptssl is this
>
...

>
> i got all the urls etc looking at tail -f access.log and greping the ip
> and tcp denied
>
> but when i try to load the apple app store the whitelist isnt enough, i
> need to add a couple of urls to the nointerceptssl
>
> i got that list by doing the same method ie looking at tail -f
> access.log and greping the ip but as ive already whitelisted the urls
> they all came back as none or ok instead of saying tcp denied
>
> my question is why do i need to add some urls to the nointerceptssl and
> why isnt it enough just to add it to urlwhite list
>

Because you are using those ACLs exclusively for very different things.

  - "whitelist" is being exclusively used to check URI domains found in
HTTP messages (http_access). Where "server name" is the CONNECT tunnel
authority name or IPs reverse-DNS name, or decrypted https:// URL
domain. It has nothing to do with the TLS handshake activity.

  - "NoSSLIntercept" is being exclusively used for TLS handshake
decisions (ssl_bump). Where "server name" is the CONNECT tunnel
authority name or raw-IP, TLS SNI, or server certificate altSubjectName.


You could use whitelist ACL in ssl_bump checks instead of
NoSSLIntercept. At which point the ACL is now being used for both sets
of checks and decisions.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux