[squid-users] Squid 3 SSL bump: Google drive application could not connect
Rafael Akchurin
rafael.akchurin at diladele.com
Tue Dec 30 20:21:42 UTC 2014
Just for me to completely clarify:
- how exactly your Squid gets the traffic from your clients? (explicit proxy or cisco WCCP?)
raf
From: Yuri Voinov [mailto:yvoinov at gmail.com]
Sent: Tuesday, December 30, 2014 9:16 PM
To: Rafael Akchurin; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To finalize a solution,
see the our favorite:
http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html
Why use iptables, ipfilter,Cisco, etc?!
Only Squid, only hardcore!
Revert cisco config back:
R2911(config)#no access-list 121
R2911(config)#access-list 121 remark ACL for HTTPS WCCP
R2911(config)#access-list 121 remark Squid proxies bypass
R2911(config)#access-list 121 deny ip host 192.168.200.3 any
R2911(config)#access-list 121 deny ip host 192.168.100.251 any
R2911(config)#access-list 121 remark Videoserver
R2911(config)#access-list 121 deny ip host 192.168.200.5 any
R2911(config)#access-list 121 remark LAN clients proxy port 443
R2911(config)#access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
R2911(config)#access-list 121 remark all others bypass WCCP
R2911(config)#access-list 121 deny ip any any
R2911(config)#^Z
R2911#wr
Building configuration...
[OK]
Write acl file with IP/net with SSL Pinning:
root @ ktulhu /usr/local/squid/etc # cat dst.nobump
# BCC bypass
91.198.63.0/24
# Salyk bypass
212.154.165.148/32
# WU bypass
191.232.0.0/13
65.52.0.0/14
# Symantec bypass
195.215.221.99/32
195.215.221.104/32
213.248.114.172/32
213.248.114.173/32
213.248.114.174/32
213.248.114.175/32
77.67.22.168/32
77.67.22.171/32
77.67.22.173/32
213.248.114.171/32
Add needful nets/apps to acl by your taste.
Add to squid config:
# SSL bump acl
acl net_bump src "/usr/local/squid/etc/net.bump"
# HTTP-use 443 port apps
acl url_nobump dstdom_regex \.icq\.*
# SSL Pinning servers. Only ip-based dst acl!
acl dst_nobump dst "/usr/local/squid/etc/dst.nobump"
# SSL bump rules
sslproxy_cert_error allow all
ssl_bump none localhost
ssl_bump none url_nobump
ssl_bump none dst_nobump
ssl_bump server-first net_bump
Yahooo! The same result with Squid only!
30.12.2014 23:39, Rafael Akchurin пишет:
> SSL Pinning
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUowfzAAoJENNXIZxhPexGQjgH/2a6Ec4VMKgwKdgR+HPJYRj3
eOmmO8E3LAwkQpDnUNfBl057tKSdPTq5Y1Fo0SJrs0yczvc7w2nt7G01adCajxgT
Zj91d77aNxXoE730I6rnL8vAg4gvWVYdJufJstTQuToJW31SYMlEkzZfY38suRTs
GQRAaQ+hYY4trqE7f5BlQHdChMwIb6pxQoE2PJ+8SzkuBr4E68fJlqECz8zXxs8Z
Mb+R3OCA18YKpr+6nU3dM58B3FDvWTj/NuIib2PgvIGR2Xsrrrr2GPms2x6QKg5v
ivlmYD5cYWz3F+8htv7mFovSxp32cKb6+Vfxk45yGEA2+z9VziGE1G7KF4WgKGM=
=1ux+
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141230/4986f0f8/attachment.html>
More information about the squid-users
mailing list