[squid-users] Squid 3 SSL bump: Google drive application could not connect
Yuri Voinov
yvoinov at gmail.com
Tue Dec 30 20:23:03 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
WCCP only, of course. To reduce Cisco CPU usage.
Also, iOS version 15.4 with SECURITYK9 techno pack activated.
31.12.2014 2:21, Rafael Akchurin пишет:
>
> Just for me to completely clarify:
>
>
>
> - how exactly your Squid gets the traffic from your clients? (explicit
proxy or cisco WCCP?)
>
>
>
> raf
>
> *From:*Yuri Voinov [mailto:yvoinov at gmail.com]
> *Sent:* Tuesday, December 30, 2014 9:16 PM
> *To:* Rafael Akchurin; squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect
>
>
>
>
> To finalize a solution,
>
> see the our favorite:
>
> http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html
>
> Why use iptables, ipfilter,Cisco, etc?!
>
> Only Squid, only hardcore!
>
> Revert cisco config back:
>
> R2911(config)#no access-list 121
> R2911(config)#access-list 121 remark ACL for HTTPS WCCP
> R2911(config)#access-list 121 remark Squid proxies bypass
> R2911(config)#access-list 121 deny ip host 192.168.200.3 any
> R2911(config)#access-list 121 deny ip host 192.168.100.251 any
> R2911(config)#access-list 121 remark Videoserver
> R2911(config)#access-list 121 deny ip host 192.168.200.5 any
> R2911(config)#access-list 121 remark LAN clients proxy port 443
> R2911(config)#access-list 121 permit tcp 192.168.0.0 0.0.255.255 any
eq 443
> R2911(config)#access-list 121 remark all others bypass WCCP
> R2911(config)#access-list 121 deny ip any any
> R2911(config)#^Z
> R2911#wr
> Building configuration...
> [OK]
>
> Write acl file with IP/net with SSL Pinning:
>
> root @ ktulhu /usr/local/squid/etc # cat dst.nobump
> # BCC bypass
> 91.198.63.0/24
> # Salyk bypass
> 212.154.165.148/32
> # WU bypass
> 191.232.0.0/13
> 65.52.0.0/14
> # Symantec bypass
> 195.215.221.99/32
> 195.215.221.104/32
> 213.248.114.172/32
> 213.248.114.173/32
> 213.248.114.174/32
> 213.248.114.175/32
> 77.67.22.168/32
> 77.67.22.171/32
> 77.67.22.173/32
> 213.248.114.171/32
>
> Add needful nets/apps to acl by your taste.
>
> Add to squid config:
>
> # SSL bump acl
> acl net_bump src "/usr/local/squid/etc/net.bump"
> # HTTP-use 443 port apps
> acl url_nobump dstdom_regex \.icq\.*
> # SSL Pinning servers. Only ip-based dst acl!
> acl dst_nobump dst "/usr/local/squid/etc/dst.nobump"
>
> # SSL bump rules
> sslproxy_cert_error allow all
> ssl_bump none localhost
> ssl_bump none url_nobump
> ssl_bump none dst_nobump
> ssl_bump server-first net_bump
>
> Yahooo! The same result with Squid only!
>
> 30.12.2014 23:39, Rafael Akchurin пишет:
> > SSL Pinning
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUowmnAAoJENNXIZxhPexGEtwH/10nuDG9+Z7AG2W+nh64X7JV
5JmvvaC778yUYnMUaPJTLPK3hxVuQshVMaE2x4jhuxBEkhtKPWBJZg8JFLFinzf5
nDINk8zz0j4fLCXmDAJaXz2NMacUviCiKFY8k63SumxKeTIBU20DuLk9glggTpfY
3RgdNWfvmma9iv8QW/s2UJFbRdJS0cLjra4XFFQBZLyGEJPTOcft3slWX3QgHVCD
SB3CZWy2gwbLVphiCiG91HxBtUUUzSLqPc60RdSwOCoSOaBMHZgy8yjZ8VRgQkyi
uz41hhp1mCMfssNjoLdCvr/AxJG990yQ24MiCDuzN9fYVNzUPdXF+q4E5G/avtk=
=FkuL
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141231/db379ad3/attachment.html>
More information about the squid-users
mailing list