[squid-users] 3.5.4 need more help with peek and splice and external helper

Stanford Prescott stan.prescott at gmail.com
Wed May 6 22:58:49 UTC 2015


I have still been trying to get peek and splice to work. Specifically I
want to allow the admins of our firewall distro to enter websites that they
do not want to bump on the squid UI page. I have been fiddling with info
that Amos and Nathan have provided me but with no success so far. Here is a
snippet of squid.conf with most of the pertinent SSL configuration.

*http_access allow localhostgreen*
*http_access allow CONNECT localhostgreen*

*# http_port and https_port*
*#----------------------------------------------------------------------------*

*http_port 192.168.100.1:800 <http://192.168.100.1:800> intercept*
*https_port 192.168.100.1:808 <http://192.168.100.1:808> intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem*

*http_port 127.0.0.1:800 <http://127.0.0.1:800> intercept*

*sslproxy_cert_error allow all*
*sslproxy_flags DONT_VERIFY_PEER*
*sslproxy_session_cache_size 4 MB*

*ssl_bump none localhostgreen*

*external_acl_type sni ttl=30 concurrency=60 children-max=3
children-startup=1 %ssl::>sni /var/smoothwall/mods/proxy/libexec/bumphelper*

*acl sni_exclusions external sni*
*acl tcp_level at_step SslBump1*
*acl client_hello_peeked at_step SslBump2*

*ssl_bump none localhostgreen*

*ssl_bump peek tcp_level all*
*ssl_bump splice client_hello_peeked sni_exclusions*
*ssl_bump bump all*

*sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
/var/smoothwall/mods/proxy/lib/ssl_db -M 4MB*
*sslcrtd_children 5*


These were provided by Nathan to try. He also provided an example helper
script in python to try, but our distro doesn't grok python so I tried to
get it translated to perl and this what I came up with.

*#!/usr/bin/perl*

*# run loop until an empty read, which indicates the process should shut
down.*

*while (<STDIN>)*
*{*
*  my ($concurrency_id, $sni) = split;*

*  if ($sni eq 'wellsfargo.com <http://wellsfargo.com>')*
*  {*
*     print "$concurreny_id OK\n";*
*  }*
*  else*
*  {*
*     print "$concurreny_id ERR\n";*
*  }*
*}*


When I start Squid with this configuration, the helper script "bumphelper"
gets loaded as a process along with squid and ssl_crtd. When I try to
browse any SSL websites there is no connection and it times out. HTTP
browsing is fine. When I remove those peek and splice related lines and add
"ssl_bump server-first all" back to squid conf then bumping of SSL sites is
successful.

I suspect my "bumphelper" script is not doing what I intend it to do.

Suggestions very welcome.

Stan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150506/b7738ccb/attachment-0001.html>


More information about the squid-users mailing list