[squid-users] Peek and Splice for websites using HSTS

Amos Jeffries squid3 at treenet.co.nz
Sat Apr 11 00:23:55 UTC 2015 

On 11/04/2015 2:22 a.m., Ashish Patil wrote:
> Hello,
> 
> I am trying to set up Peek and Splice using Squid 3.5.3. I'm facing issues
> setting it up for website that have HSTS enabled, like google.com and
> twitter.com.

Those websites dont just have HSTS enabled. Those two in particular have
HTTP/2, SPDY, and WebSockets operating over port 443 as well.

> 
> My squid.conf is:
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl/myCA.pem
> acl step3 at_step SslBump3
> acl sslBumpAllowedDstDomain dstdomain google.co.in
> ssl_bump peek step3 all
> ssl_bump splice sslBumpAllowedDstDomain
> ssl_bump bump all

What you have configured is to:

* splice (tunnel) if the reverse-DNS of 173.194.117.24 == google.co.in.
  - I doubt this will ever match. Because google reverse-DNS usually
names machines from the *.1e100.net domain.

NOTE: google.* domains are their public forward-DNS entries from the
encrypted URLs. You have to decrypt/bump to see those.

* bump everything else.

* peek will never happen because the connection was spliced or bumped at
step 1. step3 is never reached.

> 
> The output of access.log is:
> 1428674512.281    511 192.168.3.31 TCP_MISS/301 634 GET http://google.co.in/
> - ORIGINAL_DST/173.194.117.23 text/html
> 1428674512.703    348 192.168.3.31 TCP_MISS/302 1106 GET
> http://www.google.co.in/ - ORIGINAL_DST/173.194.117.24 text/html

Two HTTP requests were intercepted, using port 3128 by the looks of your
config.


> 1428674512.706      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443
> - HIER_NONE/- -
> 1428674512.711      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.24:443
> - HIER_NONE/- -
> 1428674515.883      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
> - HIER_NONE/- -
> 1428674515.956      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
> - HIER_NONE/- -
> 1428674515.965      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
> - HIER_NONE/- -
> 1428674516.006      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
> - HIER_NONE/- -
> 1428674526.310      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
> - HIER_NONE/- -
> 1428674526.327      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
> - HIER_NONE/- -
> 1428674526.335      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
> - HIER_NONE/- -
> 1428674526.411      0 192.168.3.31 TAG_NONE/200 0 CONNECT 173.194.117.22:443
> - HIER_NONE/- -

10 other connections were bumped or spliced. Your log does not continue
long enough to say what was in them, so maybe spliced or they just took
>14 seconds to first request completion.

Amos

More information about the squid-users mailing list