[squid-users] Squid 3 SSL bump: Google drive application could not connect
Rafael Akchurin
rafael.akchurin at diladele.com
Tue Dec 30 20:10:12 UTC 2014
Glad that it worked.
May be useful to dump here your squid.conf to better understand how to configure squid to transparently work with wccp traffic coming from your Cisco router?
Raf
From: Yuri Voinov [mailto:yvoinov at gmail.com]
Sent: Tuesday, December 30, 2014 8:48 PM
To: Rafael Akchurin; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Already found this lonely right post ;) I have Google-Fu too :) And it longer than you :)
Anyway,
all of these issues solved.
I have snoop (not Windoze wireshark - all great things makes in console, ya!) and take a look on single client traffic during bumping.
As I haven't iptables (no penguins, please!), but I have Cisco 2911, I pass some Windows Update, Symantec Update (which is not work too) bypassing Squid.
Cisco is greatest. All others are probably suxx :)
The complete solution looks like:
access-list 121 remark ACL for HTTPS WCCP
access-list 121 remark Squid proxies bypass
access-list 121 deny ip host 192.168.200.3 any
access-list 121 remark WU bypass
access-list 121 deny tcp any 191.232.0.0 0.7.255.255
access-list 121 deny tcp any 65.52.0.0 0.3.255.255
access-list 121 remark Symantec bypass
access-list 121 deny tcp any host 195.215.221.99
access-list 121 deny tcp any host 195.215.221.104
access-list 121 deny tcp any host 213.248.114.172
access-list 121 deny tcp any host 213.248.114.173
access-list 121 deny tcp any host 213.248.114.174
access-list 121 deny tcp any host 213.248.114.175
access-list 121 deny tcp any host 77.67.22.168
access-list 121 deny tcp any host 77.67.22.171
access-list 121 deny tcp any host 77.67.22.173
access-list 121 deny tcp any host 213.248.114.171
access-list 121 remark LAN clients proxy port 443
access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
access-list 121 remark all others bypass WCCP
access-list 121 deny ip any any
So, all others issue solves similar.
Want to do something good - do it yourself!
That's the way. :)
30.12.2014 23:39, Rafael Akchurin пишет:
>
> Hello Yuri,
>
>
>
> Luckily the same topic was just discussed on our forum –
please see if this can help
https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ
>
>
>
> It describes the iptables settings for successful SSL bump
exclusions for Dropbox clients / Google Drive / iTunes (bypassing
SSL Bump because of SSL Pinning).
>
>
>
> Best regards,
>
> Raf
>
>
>
> *From:*squid-users
[mailto:squid-users-bounces at lists.squid-cache.org] *On Behalf Of
*Rafael Akchurin
> *Sent:* Tuesday, December 30, 2014 4:23 PM
> *To:* Yuri Voinov; squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
>
>
> Only exclusion from SSL Bump as far as I know.
>
>
>
> raf
>
> -------------------------
>
> *From:*Yuri Voinov <yvoinov at gmail.com<mailto:yvoinov at gmail.com>
<mailto:yvoinov at gmail.com><mailto:yvoinov at gmail.com>>
> *Sent:* Tuesday, December 30, 2014 3:19 PM
> *To:* Rafael Akchurin; squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org><mailto:squid-users at lists.squid-cache.org>
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
>
>
>
> May be.
>
> Does workaround exists?
>
> 30.12.2014 20:09, Rafael Akchurin ?????:
> > SSL Pinning? (I know Dropbox does this)
>
>
>
> > my two cents only :)
>
>
>
> > Raf
>
>
>
> > ________________________________________
>
> > From: squid-users
<mailto:squid-users-bounces at lists.squid-cache.org><mailto:squid-users-bounces at lists.squid-cache.org>
>
> <squid-users-bounces at lists.squid-cache.org><mailto:squid-users-bounces at lists.squid-cache.org>
<mailto:squid-users-bounces at lists.squid-cache.org><mailto:squid-users-bounces at lists.squid-cache.org>on behalf
of Yuri Voinov <mailto:yvoinov at gmail.com><mailto:yvoinov at gmail.com>
>
> <yvoinov at gmail.com><mailto:yvoinov at gmail.com> <mailto:yvoinov at gmail.com><mailto:yvoinov at gmail.com>
>
> > Sent: Tuesday, December 30, 2014 2:12 PM
>
> > To: <mailto:squid-users at lists.squid-cache.org><mailto:squid-users at lists.squid-cache.org>
>
> squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org><mailto:squid-users at lists.squid-cache.org>
>
> > Subject: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
>
>
> > Hi gents,
>
>
>
> > I found strange issue.
>
>
>
> > Squid 3.4.10. Intercept. HTTPS bumping. All works fine.
All configs correct.
>
>
>
> > Whenever all web https sites works perfectly -
especially in Chrome,
>
> > most cloud clients works like charm (SpiderOak is!),
Google Drive client
>
> > application (PC) could not work.
>
> > Note: Web Google Docs works. Web Google drive works.
>
>
>
> > Note: Google support info - even I if pass dozen Google
URL's without
>
> > bump - cannot help. It doesn't work when server-first
bumping is on and
>
> > works othervise.
>
>
>
> > So, the Serious Question is: Why? :)
>
>
>
> > Any idea?
>
>
>
>
>
>
>
>
>
> > _______________________________________________
>
> > squid-users mailing list
>
> > <mailto:squid-users at lists.squid-cache.org><mailto:squid-users at lists.squid-cache.org>
>
> squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
<mailto:squid-users at lists.squid-cache.org><mailto:squid-users at lists.squid-cache.org>
>
> >
<http://lists.squid-cache.org/listinfo/squid-users><http://lists.squid-cache.org/listinfo/squid-users>
>
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUowFgAAoJENNXIZxhPexGHxkIAM2mb+OjhevZWpgdwiKHP2E0
D+8UM6/c7OZcJ2uSjIWN7DG0h+b86/ATul+9S+mZHl1DLBYpGUKW9J5I3iIQb+sr
5xR2ReFkuFeSpZASXex2yq5lfmACPdiUzI9iVhe7DPJqKJNiIzvHLq4ZRnjJN4Ih
0u0NGuPKfkkWFJ/SmXAceEdS7sT/lT0cVm1JgpurVzipelBUNbLQUd0yKrpbIz2x
ia7gwu3ZFi2aY2DvrfP7ntkoZpLl+SyDI/PkFIEaAr2+KaMcTbUXVQcVTZ7S6eLu
pgCNil0x8AFApWSIg+P68DcFcIS/nUIvNqXjuvr0ikqGwLEAqvueM6LPKifsdSg=
=J+Cs
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141230/753d81a4/attachment-0001.html>
More information about the squid-users
mailing list