[squid-users] Correctly implementing peak-splice

James Lay jlay at slave-tothe-box.net
Wed Nov 5 12:40:21 UTC 2014 

On Wed, 2014-11-05 at 12:24 +0200, Christos Tsantilas wrote:
> On 11/04/2014 02:26 PM, James Lay wrote:
> >
> > Thanks a bunch Christos,
> >
> > That list of IP's is things like apple.com, textnow.me, and windows
> > updates...IP's that simply don't bump well.  My setup is a linux box
> > that's a router...one NIC internal IP, the other external IP.  Via
> > iptables redirect, I'm transparently intercepting the web traffic of a
> > few devices, only allowing them access to the list of sites in url.txt.
> > At issue with using the broken_sites list, is that I have to just
> > specify large chucks of netblocks, which I lose control and visibility
> > of.  What I'm really hoping for is for a way for squid to be able to, in
> > my case at least, look at either the server_name extension in the Client
> 
> You need to build your own external_acl helper which will take as input 
> the client sni (server_name extension). Read squid wiki for informations 
> about external acl helpers:
>   http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29
> 
> It is easy to build one in perl or as a shell script. I am suggesting to 
> build an external_acl helper which return "OK" when the sni matches or 
> no sni information exist.
> 
> You can use the following configuration or similar:
> #
> external_acl_type EXTACL %ssl::>sni /path-to-my/external-acl-helper.sh
> acl EXTACL external EXTACL
> 
> acl step1 at_step  SslBump1
> acl step2 at_step  SslBump2
> acl step3 at_step  SslBump3
> 
> # At first step peek all
> ssl_bump peek step1 all
> ssl_bump splice step2 EXTACL
> ssl_bump bump all
> 
> 
> > Hello, or, if that's not present, look at the dNSName of certificate
> > being sent, check the access against url.txt, and either allow or deny.
> 
> In your case the server certificate informations will not work well. At 
> the time this information is available:
>      1) in peek mode, you can not bump any more
>      2) in stare mode, you can not splice any more.
> There are exceptions to the above rules (for example in case the client 
> uses the same SSL library with squid) but the SSL protocol is enough 
> safe to not allow us to make something better than this.
> 
> Regards,
>     Christos
> 
> >
> > Ssl_bump does work well for most sites...and I understand we are
> > performing a man in the middle attack so it's not supposed to be easy.
> > Again my hope isn't really to perform a mitm...more of an access control
> > type thing.  Thanks again Christos...I hope I explained this well
> > enough.
> >
> > James
> >
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Thanks so much Christos for taking time with this.  I'll give the helper
a go and report my results here.

James

More information about the squid-users mailing list