[squid-users] ssl_crtd breaks after short time

Klavs Klavsen kl at vsen.dk
Tue Jun 9 06:44:13 UTC 2015 

Hi,

James Lay just replied to me with his current config.. (pretty much like 
what he posted), and it seems he does not even try to use http_access 
rules to filter on urls from https requests..

@Amos: are you certain that there's not an error in how http_access 
rules are applied to bumped connections?

What I noted was:

Instead of having:
http_access allow CONNECT bumpedPorts

he has:
http_access allow SSL_ports

which somehow seems to work instead.

He only uses http_access allow rules for http sites.. he filters https 
on domain only - using:
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/http_url.txt"
ssl_bump bump allowed_https_sites
ssl_bump terminate !allowed_https_sites

in my access log - using james lay's format - squid only logs CONNECT.. 
so it seems its not registering the step AFTER CONNECT as something 
seperate - which would explain why its not applying http_access 
filtering to it ?

10.xx.131.244 - - [09/Jun/2015:08:40:15 +0200] "CONNECT 
64.233.184.94:443 HTTP/1.1" www.google.dk - 200 20042 
TCP_TUNNEL:ORIGINAL_DST peek
10.xx.131.244 - - [09/Jun/2015:08:40:19 +0200] "CONNECT 72.51.34.34:443 
HTTP/1.1" lwn.net - 200 28295 TCP_TUNNEL:ORIGINAL_DST peek
10.xx.131.244 - - [09/Jun/2015:08:42:30 +0200] "CONNECT 72.51.34.34:443 
HTTP/1.1" lwn.net - 200 28258 TCP_TUNNEL:ORIGINAL_DST peek


Amos Jeffries wrote on 06/05/2015 12:18 AM:
> On 5/06/2015 3:34 a.m., Klavs Klavsen wrote:
>> I would be perfectly fine with allowing the SSL bumping to finish for
>> ALL https sites - and then only block when the http request comes..
>>
>> I'm hoping someone can tell me what I've done wrong in my config.. I'm
>> obviously not understanding how it works when https is envolved.. it
>> works as intended with http..
>
> It should be working. I'm a bit confused myself now why that CONNECT
> line would be matching the decrypted requests, they definitely should
> not be having the CONNECT request method as they are destined to an
> origin server.
>
> We've missed something basic, and will probably kick ourselves at how
> simple when its reavealed. :-(
>   All I can think of now is that James log format should be indicating
> more clearly whats going on than the default Squid one will.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

More information about the squid-users mailing list