[squid-users] Correctly implementing peak-splice

James Lay jlay at slave-tothe-box.net
Mon Nov 3 13:00:00 UTC 2014 

On Mon, 2014-11-03 at 12:24 +0200, Christos Tsantilas wrote:
> On 10/30/2014 02:06 PM, James Lay wrote:
> > Hello all,
> >
> > Here is my complete config for trying out peek/splice.  This currently
> > does not work..is there something obvious that I'm mission?  Current
> > error is:
> >
> > Oct 30 06:03:14 gateway squid: 192.168.1.110 - - [30/Oct/2014:06:03:14
> > -0600] "GET https://www.google.com/ HTTP/1.1" 503 3854
> > TAG_NONE:HIER_NONE
> >
> > and on the page I get a 71 protocol error and a SSL3_WRITE_PENDING:bad
> > write retry.
> 
> - You should use at_step acl to configure different bumping modes on 
> each bumping step.
> 
> - If you used "peek" mode on SslBump1 and SslBump2 steps then on 
> SslBump3 step you should use "splice". If you select "bump" the most 
> possible is that you got SSL connection errors.
> The "peek" mode on SslBump3 step is interpreted as "bump" mode.
> 
> -if you selected peek mode on SslBump1 and SslBump2 steps, in most 
> cases, you can select only "terminate" or "splice" for SslBump3 step.
> 
> The following configuration should work:
> 
> # Bumping steps:
> acl step1 at_step  SslBump1
> acl step2 at_step  SslBump2
> acl step3 at_step  SslBump3
> 
> # Selecting bumping mode
> ssl_bump peek step1 all
> ssl_bump peek step2 all
> ssl_bump splice step3 all
> 
> Regards,
>      Christos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Thanks Christos,

So here's where I'm at...my full test config below:

acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 777         # multiling http

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl CONNECT method CONNECT
acl allowed_sites url_regex "/opt/etc/squid/url.txt"
acl all_others dst all
acl SSL method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow manager localhost
http_access deny manager

http_access allow allowed_sites
http_access deny all_others
http_access allow localnet
http_access allow localhost

http_access deny all
icp_access deny all

sslproxy_cert_error allow all

sslproxy_options ALL
sslproxy_flags DONT_VERIFY_PEER

ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump splice step3 all

http_port 192.168.1.253:3128 intercept
https_port 192.168.1.253:3129 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key
options=ALL sslflags=NO_SESSION_REUSE

always_direct allow all

logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%
Sh %ssl::>cert_subject

access_log syslog:daemon.info common

The above works, but allows all sites regardless of what's in url.txt.
Additionally, there's no logging of any kind.  The allow part makes
sense as this is the last ACL, the no logging part is confusing.  If I
add:

acl broken_sites dst 69.25.139.128/25
acl broken_sites dst 65.55.0.0/16
acl broken_sites dst 72.246.0.0/16
acl broken_sites dst 54.224.0.0/12
acl broken_sites dst 17.0.0.0/8
acl broken_sites dst 69.192.0.0/16
acl broken_sites dst 209.59.128.0/18
acl broken_sites dst 173.194.0.0/16
acl broken_sites dst 107.20.0.0/14
acl broken_sites dst 54.72.0.0/13
acl broken_sites dst 54.80.0.0/12
acl broken_sites dst 23.0.0.0/12
acl broken_sites dst 23.192.0.0/11
acl broken_sites dst 8.25.205.0/24
acl broken_sites dst 75.126.0.0/16
acl broken_sites dst 74.125.0.0/16
acl broken_sites dst 192.195.204.0/24
acl broken_sites dst 96.16.0.0/15

and change to
ssl_bump peek step1 broken_sites
ssl_bump peek step2 broken_sites
ssl_bump splice step3 broken_sites

that works, but again...I get no logging, which is worse then "ssl_bump
splice broken_sites", and defeats the purpose of trying to avoid having
to create the broken_sites ACL in the first place.  Lastly, if I try and
change splice to peek or bump it's broken with odd log entries such as:

Nov  3 05:45:23 gateway (squid-1): 192.168.1.110 - -
[03/Nov/2014:05:45:23 -0700] "GET https://www.google.com/ HTTP/1.1" 503
3854 TAG_NONE:HIER_NONE -
Nov  3 05:45:31 gateway (squid-1): 192.168.1.110 - -
[03/Nov/2014:05:45:31 -0700] "CONNECT 206.190.36.45:443 HTTP/1.1" 403
3402 TCP_DENIED:HIER_NONE -
Nov  3 05:45:31 gateway (squid-1): 192.168.1.110 - -
[03/Nov/2014:05:45:31 -0700] "#026#003#001 %BB/%CESsJ%B3%C2%BC%CC%BD%90
HTTP/1.1" 400 3577 TAG_NONE:HIER_NONE -

Is there something I am missing?  I've been really reading through the
squid site, but I can't find any examples of peek splice.  Thank you.

James

More information about the squid-users mailing list