[squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

Nathan Hoad nathan at getoffmalawn.com
Mon Apr 13 02:37:27 UTC 2015


Hi Stan,

So one of the things that peek and splice added was support for the
Server Name Indication SSL extension, which let's Squid make bumping
decisions more accurately based on the hostname, rather than the IP
address. Prior to this, bumping on only the IP address caused issues
for virtual hosting and such.

As for a good write-up, this is about the best you can get, which
covers the protocol itself:
http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29

Essentially external ACLs are processes that Squid will write
"requests" to, which are line-based and configured according to the
format specifiers in your external_acl_type directive. The helper
process should read the request and decide if it's a "match", then
write back to Squid, which Squid will take action on. All
communication is over standard input/output.

Writing external ACLs is usually quite specialised to the situation,
so it's difficult to find concrete examples that will do what you
want. Using the configuration I mentioned earlier, you could write a
simple helper like so (this one is in Python):

import sys

line = sys.stdin.read()

# run loop until an empty read, which indicates the process should shut down.
while line:
    concurrency_id, sni = line.split()

    if sni == 'wellsfargo.com':
        sys.stdout.write('%s OK\n' % concurrency_id)
    else:
        sys.stdout.write('%s ERR\n' % concurrency_id)

    line = sys.stdin.read()

So when Squid sends a request to the helper process, if the servername
is for 'wellsfargo.com', it will be considered a match, i.e. it will
not be bumped, else it won't match, so it will be bumped later in the
SSL bump process.

If you need clarification on anything, feel free to ask! This is quite
a bit of information to absorb I know :)

Hope that helps,

Nathan.

On 13 April 2015 at 12:01, Stanford Prescott <stan.prescott at gmail.com> wrote:
> Thanks for your response, Nathan. I'm sure what you suggest would be very
> helpful, if I knew anything about ACL helpers and how to use them to not
> bump certain sites. I'm thinking the sni is what is actually used to
> identify the sites to not bump?
>
> Is there a good write-up somewhere of how to create these ACL helpers and
> how to use them?
>
> On Sun, Apr 12, 2015 at 8:25 PM, Nathan Hoad <nathan at getoffmalawn.com>
> wrote:
>>
>> Hi Stan,
>>
>> For peek and splice, you need to decide based on the SNI name, not the
>> domain name, which for 3.5 means you need to use an external ACL
>> helper that processes %ssl::>sni. For 4.0 there will be a server_name
>> ACL you can use instead.
>>
>> On top of that, you also need to make sure this external ACL helper
>> runs at the correct "bump step", with the at_step ACL, e.g...
>>
>> external_acl_type sni ttl=30 concurrency=X children-max=Y
>> children-startup=Z %ssl::>sni /path/to/your/helper
>>
>> acl sni_exclusions external sni
>> acl tcp_level at_step SslBump1
>> acl client_hello_peeked at_step SslBump2
>>
>> ssl_bump peek tcp_level all
>> ssl_bump splice client_hello_peeked sni_exclusions
>> ssl_bump bump all
>>
>> Hope that helps,
>>
>> Nathan.
>>
>> On 13 April 2015 at 04:12, Stanford Prescott <stan.prescott at gmail.com>
>> wrote:
>> > I would like to give my users the ability to "not bump" certain sites. I
>> > tried to use the examples given on the SSLPeekandSplice wiki page but
>> > can't
>> > get it to work.
>> >
>> > This is a snippet of my squid.conf file.
>> >
>> > https_port 192.168.10.1:808 intercept ssl-bump
>> > generate-host-certificates=on
>> > dynamic_cert_mem_cache_size=4MB
>> > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
>> >
>> > http_port 192.168.20.1:800 intercept
>> > https_port 192.168.20.1:808 intercept ssl-bump
>> > generate-host-certificates=on
>> > dynamic_cert_mem_cache_size=4MB
>> > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
>> >
>> > http_port 127.0.0.1:800 intercept
>> >
>> > sslproxy_cert_error allow all
>> > sslproxy_flags DONT_VERIFY_PEER
>> > sslproxy_session_cache_size 4 MB
>> >
>> > acl serverIsBank dstdomain wellsfargo.com
>> >
>> > ssl_bump server-first all
>> >
>> > ssl_bump none localhostgreen
>> > ssl_bump none localhostpurple
>> >
>> > ssl_bump splice serverIsBank
>> > ssl_bump peek all
>> > ssl_bump bump all
>> > sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
>> > /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
>> > sslcrtd_children 5
>> >
>> >
>> > When I start squid I don't get any error messages and all pages, http
>> > and
>> > https, load properly. The problem is, using the example above, the
>> > https://www.wellsfargo.com website is still getting bumped, evidenced by
>> > the
>> > appearance of the ssl website in the web proxy access logs. When I don't
>> > have ssl_bump enabled then no https websites appear in the access logs,
>> > as
>> > it should be. But, enabling ssl_bump and peek and splice, web sites that
>> > I
>> > am trying not to bump still seem to be getting bumped.
>> >
>> > Any suggestions on how to properly "not bump" certain websites.
>> >
>> > Thanks,
>> >
>> > Stan
>> >
>> > _______________________________________________
>> > squid-users mailing list
>> > squid-users at lists.squid-cache.org
>> > http://lists.squid-cache.org/listinfo/squid-users
>> >
>
>


More information about the squid-users mailing list