[squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

Nathan Hoad nathan at getoffmalawn.com
Mon Apr 13 00:25:28 UTC 2015 

Hi Stan,

For peek and splice, you need to decide based on the SNI name, not the
domain name, which for 3.5 means you need to use an external ACL
helper that processes %ssl::>sni. For 4.0 there will be a server_name
ACL you can use instead.

On top of that, you also need to make sure this external ACL helper
runs at the correct "bump step", with the at_step ACL, e.g...

external_acl_type sni ttl=30 concurrency=X children-max=Y
children-startup=Z %ssl::>sni /path/to/your/helper

acl sni_exclusions external sni
acl tcp_level at_step SslBump1
acl client_hello_peeked at_step SslBump2

ssl_bump peek tcp_level all
ssl_bump splice client_hello_peeked sni_exclusions
ssl_bump bump all

Hope that helps,

Nathan.

On 13 April 2015 at 04:12, Stanford Prescott <stan.prescott at gmail.com> wrote:
> I would like to give my users the ability to "not bump" certain sites. I
> tried to use the examples given on the SSLPeekandSplice wiki page but can't
> get it to work.
>
> This is a snippet of my squid.conf file.
>
> https_port 192.168.10.1:808 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
>
> http_port 192.168.20.1:800 intercept
> https_port 192.168.20.1:808 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
>
> http_port 127.0.0.1:800 intercept
>
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslproxy_session_cache_size 4 MB
>
> acl serverIsBank dstdomain wellsfargo.com
>
> ssl_bump server-first all
>
> ssl_bump none localhostgreen
> ssl_bump none localhostpurple
>
> ssl_bump splice serverIsBank
> ssl_bump peek all
> ssl_bump bump all
> sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
> /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
>
> When I start squid I don't get any error messages and all pages, http and
> https, load properly. The problem is, using the example above, the
> https://www.wellsfargo.com website is still getting bumped, evidenced by the
> appearance of the ssl website in the web proxy access logs. When I don't
> have ssl_bump enabled then no https websites appear in the access logs, as
> it should be. But, enabling ssl_bump and peek and splice, web sites that I
> am trying not to bump still seem to be getting bumped.
>
> Any suggestions on how to properly "not bump" certain websites.
>
> Thanks,
>
> Stan
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list