[squid-users] Assistance with knowing what I'm really trying to do
James Lay
jlay at slave-tothe-box.net
Mon Nov 3 12:39:16 UTC 2014
On Mon, 2014-11-03 at 17:22 +1300, Amos Jeffries wrote:
> On 3/11/2014 11:12 a.m., James Lay wrote:
> > A weird question....I guess I need to find out exactly what I'm
> > wanting before going further with trying to get peek to work. So
> > here's a small example of what I currently have. From my .conf
> > file:
> >
> > acl broken_sites dst 23.192.0.0/11 http_access allow broken_sites
> > ssl_bump splice broken_sites
> >
> > logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> > %Ss:% Sh %ssl::>cert_subject
> >
> > This currently works (no cert_subject though)...log entry shown:
> >
> > Nov 2 14:23:24 gateway (squid-1): 192.168.1.102 - -
> > [02/Nov/2014:14:23:24 -0700] "CONNECT 23.211.233.155:443 HTTP/1.1"
> > 200 4229 TCP_TUNNEL:ORIGINAL_DST -
>
> The TCP_TUNNEL tag shows that no bumping was done. Thus no details
> from inside the TLS transaction are available.
>
> "ssl_bump splice" means the same as "ssl_bump none" ... use the
> non-bumped CONNECT handling.
>
>
> >
> > Now this is required as the above will not function if bumped.
> >
> > At work, we use a commercial proxy which we do not use any ssl
> > inspection. These connections show up as, for example:
> >
> > tcp://www.whateversite.com TCP_DENIED
> >
> > And that's what I'm hoping to achieve here...determine what the
> > site is, and allow or denied it, without having to actually do any
> > SSL inspection. Will peek/stare accomplish this? Or am I
> > restricted to bump/inspection only, which for a fair amount of
> > sites (facebook, instagram, google mail, etc) does not work.
> > Thanks all...I appreciate any advice.
>
> That depends on how you define "SSL inspection". If the TLS details
> are not inspected with peek - then the details you want will not be
> available.
> You can see that in the above example.
>
> The ssl_bump access controls are now tested repeatedly in a series of
> "steps" with the first matching action which is valid at the step
> being performed. So I suspect the only working configurations will use
> the at_step ACL type to restrict where the rest of the tests will be
> performed.
>
> If you look at the documentation for that ACL it shows the steps are
> only before/after the client and server Hello messages.
>
> I think you want to peek at step SslBump1 and splice at step SslBump3.
> Or maybe peek at step 1 and 2 then splice at 3.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Thanks Amos.....looks like peek/splice is where this is going, so I'll
continue this new information of at_step acl in my other thread.
James
More information about the squid-users
mailing list