[squid-users] Correctly implementing peak-splice

James Lay jlay at slave-tothe-box.net
Tue Nov 4 12:26:24 UTC 2014


On Tue, 2014-11-04 at 12:32 +0200, Christos Tsantilas wrote:
> On 11/03/2014 03:00 PM, James Lay wrote:
> >
> > Thanks Christos,
> >
> > So here's where I'm at...my full test config below:
> > ......
> >......
> >
> > logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%
> > Sh %ssl::>cert_subject
> 
> The %ssl::>cert_subject will print the subject of the client 
> certificate, if there is any. In most cases the client does not sent any 
> certificate.
> Logging the server certificate subject is not yet implemented.
> 
> >
> > The above works, but allows all sites regardless of what's in url.txt.
> 
> If you want to use a list of urls to restrict sites which should bumped 
> you should use an external_acl helper.
> You can send to the external_acl helpers the client SNI informations (on 
> at_step SslBump2) and/OR the server certificate subject (on at_step 
> SslBump3).
> 
> > Additionally, there's no logging of any kind.  The allow part makes
> > sense as this is the last ACL, the no logging part is confusing.  If I
> > add:
> >
> > acl broken_sites dst 69.25.139.128/25
> > acl .....
>  > .....
> > and change to
> > ssl_bump peek step1 broken_sites
> > ssl_bump peek step2 broken_sites
> > ssl_bump splice step3 broken_sites
> 
> This is will splice any connection to broken_sites and will not bump any 
> other request.
> 
> >
> > that works, but again...I get no logging, which is worse then "ssl_bump
> > splice broken_sites", and defeats the purpose of trying to avoid having
> > to create the broken_sites ACL in the first place.  Lastly, if I try and
> > change splice to peek or bump it's broken with odd log entries such as:
> 
> Will help if you describe what are you trying to do.
> The acl broken_sites includes only IP addresses. Looks that the 
> peek-and-splice is not needed in your application.
> You can just use "ssl_bump none broken_sites"
> 
> >
> > Nov  3 05:45:23 gateway (squid-1): 192.168.1.110 - -
> > [03/Nov/2014:05:45:23 -0700] "GET https://www.google.com/ HTTP/1.1" 503
> > 3854 TAG_NONE:HIER_NONE -
> > Nov  3 05:45:31 gateway (squid-1): 192.168.1.110 - -
> > [03/Nov/2014:05:45:31 -0700] "CONNECT 206.190.36.45:443 HTTP/1.1" 403
> > 3402 TCP_DENIED:HIER_NONE -
> > Nov  3 05:45:31 gateway (squid-1): 192.168.1.110 - -
> > [03/Nov/2014:05:45:31 -0700] "#026#003#001 %BB/%CESsJ%B3%C2%BC%CC%BD%90
> > HTTP/1.1" 400 3577 TAG_NONE:HIER_NONE -
> >
> > Is there something I am missing?  I've been really reading through the
> > squid site, but I can't find any examples of peek splice.  Thank you.
> >
> > James

Thanks a bunch Christos,

That list of IP's is things like apple.com, textnow.me, and windows
updates...IP's that simply don't bump well.  My setup is a linux box
that's a router...one NIC internal IP, the other external IP.  Via
iptables redirect, I'm transparently intercepting the web traffic of a
few devices, only allowing them access to the list of sites in url.txt.
At issue with using the broken_sites list, is that I have to just
specify large chucks of netblocks, which I lose control and visibility
of.  What I'm really hoping for is for a way for squid to be able to, in
my case at least, look at either the server_name extension in the Client
Hello, or, if that's not present, look at the dNSName of certificate
being sent, check the access against url.txt, and either allow or deny.

Ssl_bump does work well for most sites...and I understand we are
performing a man in the middle attack so it's not supposed to be easy.
Again my hope isn't really to perform a mitm...more of an access control
type thing.  Thanks again Christos...I hope I explained this well
enough.

James





More information about the squid-users mailing list