[squid-users] HTTPS intercept, simple configuration to avoid bank bumping
Yuri Voinov
yvoinov at gmail.com
Mon Jan 26 17:53:49 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You can't use dstdomain ACL for disable bumping.
Only dst with IP's.
You don't know site FQDN before bump. :)
26.01.2015 23:48, Josep Borrell пишет:
>
> Hi all,
>
>
>
> Working on squid 3.5.1 with HTTPS interception.
>
> Trying to make a peek/splice configuration to work and avoid bank bumping.
>
> Until now bumping is working fine but can’t avoid to bump sites on
acl. All are bumped.
>
> Can anybody share a working configuration or take a look at mine to
find why is not working.
>
>
>
> Thanks
>
>
>
> Josep
>
>
>
> Squid.conf:
>
>
>
> #HTTPS (SSL) trafic interception options
>
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
>
> sslcrtd_children 8 startup=1 idle=1
>
>
>
> acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl"
>
> acl step1 at_step SSLBump1
>
> acl step2 at_step SSLBump2
>
> acl step3 at_step SSLBump3
>
>
>
> ssl_bump peek step1 all
>
> ssl_bump splice step2 disable-ssl-bump
>
> ssl_bump stare step2 all
>
> ssl_bump splice step3 disable-ssl-bump
>
> ssl_bump bump step3 all
>
>
>
> http_access allow all
>
>
>
> http_port 3128
>
> http_port 8080 intercept
>
> https_port 8081 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem
>
>
>
> forward_max_tries 25
>
> cache_mem 2 GB
>
> maximum_object_size_in_memory 25 MB
>
> maximum_object_size 1 GB
>
>
>
> visible_hostname squid-v2
>
>
>
> workers 3
>
>
>
> coredump_dir /var/spool/squid3
>
> cache_replacement_policy heap LFUDA
>
> cache_dir rock /var/spool/squid3/cache1 4000 max-size=32000
>
> cache_dir rock /var/spool/squid3/cache2 10000
>
>
>
> refresh_pattern ^ftp: 1440 20% 10080
>
> refresh_pattern ^gopher: 1440 0% 10080
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> refresh_pattern . 0 80% 10080
>
>
>
> # FortiGate interface of wccp
>
> wccp2_router 192.168.111.1
>
> # wccp version 2 configuration
>
> wccp2_service standard 90
>
> # tunneling method GRE for forward traffic
>
> wccp2_forwarding_method gre
>
> # tunneling method GRE for return traffic
>
> wccp2_return_method gre
>
> # which interface to use for WCCP (0.0.0.0 determines the interface
from routing)
>
> wccp2_address 0.0.0.0
>
>
>
> /etc/squid3/no-ssl-bump.acl file:
>
> .bancsabadell.com
>
> .lacaixa.com
>
>
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUxn8sAAoJENNXIZxhPexGQ5UIAJYWDE+L0pWR/cn3SNWZkpGt
LIBXoFsw7DGtvKD1ieu6WVAmHwf784ZrZpKtSUY7IW4/UBOdsLZtPeSe9WYmtBW6
mDLTxeQbrY7b2Xp3vnYGtw3nskYFOdR2SOeTqzcL82Pj/D0IChKgTxxt3z4Uv3it
1VKgV4fOBwiYd9ib2PBPeIEfVv7ZQLfgtr8+sTnHsxMLZjXuugokVpLtsRBiCukY
Dg6G7iyap4gPDn66GpsE7LgMbJYDIyRkWle8M55EgK12yspM6LuDTcyMOCfiNOZa
LMwyZhFbVh1XxS+2b2mBnmZtqKO3ylgGki6R/FRFUuZLgPhGidUena3vZgJBDbw=
=Q0Yt
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150126/2d99d13e/attachment-0001.html>
More information about the squid-users
mailing list