[squid-users] squid 3.5.3 can't get peek and splice to not bump certain sites

Stanford Prescott stan.prescott at gmail.com
Thu May 7 02:24:20 UTC 2015


Jason helped me a lot although I am still having trouble getting that
helper working. It got to the point that only the website I didn't want
bumped was getting bumped because I had my logic switched in the helper
script to nothing getting bumped at all. Jason pointed out that I appear to
be using transparent intercept proxy and that I shouldn't do that until I
have everything worked out with the regular proxy since bumping is
difficult to do with transparent proxy.

I have been using transparent proxy (intercept) with the https_port
declaration with great success so far as seen here

*http_port 192.168.100.1:800 <http://192.168.100.1:800> intercept*
*https_port 192.168.100.1:808 <http://192.168.100.1:808> intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem*


For peek and splice should I not be using intercept?

I will give your suggestions a try and get back to you.

Also, I apologize for inadvertently not including our correspondence in the
squid-users list. I was just clicking the reply button not realizing it
wasn't a "reply all". I think I've got it figured out how to include the
list in replies.

Thanks Nathan.

Stan

On Wed, May 6, 2015 at 8:15 PM, Nathan Hoad <nathan at getoffmalawn.com> wrote:

> Hi Stan,
>
> Yep, I think the server_name acl in 3.5.4 should provide what you want
> without the need for an external acl now. I haven't used it as the
> external acl fits my usecase. I imagine doing something like this
> should work for server_name though...
>
> acl sni_exclusions ssl::server_name wellsfargo.com
> acl tcp_level at_step SslBump1
> acl client_hello_peeked at_step SslBump2
>
> ssl_bump peek tcp_level all
> ssl_bump splice client_hello_peeked sni_exclusions
> ssl_bump bump all
>
> Hopefully your other issue with your perl helper hanging has been
> resolved by Jason's recommendation! Though if this does what you want,
> you may not need the helper.
>
> Also, please try to keep messages to the mailing list - this is all
> information that will help others :)
>
> Thanks,
>
> Nathan.
>
> On 5 May 2015 at 13:20, Stanford Prescott <stan.prescott at gmail.com> wrote:
> > Hi Nathan. I have decided to try to go ahead and try to get peek and
> splice
> > working for Squid on the Smoothwall Express firewall distro since we will
> > not be able to migrate to Squid 4.x when it debuts. You previously kindly
> > offered an example of a squid.conf setup for me to try to get it working.
> >
> > external_acl_type sni ttl=30 concurrency=X children-max=Y
> > children-startup=Z %ssl::>sni /path/to/your/helper
> >
> > acl sni_exclusions external sni
> > acl tcp_level at_step SslBump1
> > acl client_hello_peeked at_step SslBump2
> >
> > ssl_bump peek tcp_level all
> > ssl_bump splice client_hello_peeked sni_exclusions
> > ssl_bump bump all
> >
> > Amos says he has back ported a server_name acl with the 3.5.4 release.
> Does
> > this now mean that the "external_acl_type" is no longer needed for this
> sort
> > of function? Specifically, I want to be able to allow my users to enter
> > websites that they do not want bumped, like banking websites. I wasn't
> able
> > to get the squid.conf and helper script example you provided to work for
> me.
> >
> > Does the new server_name acl change how this can be done? Would you be
> able
> > to provide a new example for me to try based on this new acl in squid
> 3.5.4?
> >
> > Any help is greatly appreciated.
> >
> > Stan
> >
> >
> > On Sun, Apr 12, 2015 at 7:25 PM, Nathan Hoad <nathan at getoffmalawn.com>
> > wrote:
> >>
> >> Hi Stan,
> >>
> >> For peek and splice, you need to decide based on the SNI name, not the
> >> domain name, which for 3.5 means you need to use an external ACL
> >> helper that processes %ssl::>sni. For 4.0 there will be a server_name
> >> ACL you can use instead.
> >>
> >> On top of that, you also need to make sure this external ACL helper
> >> runs at the correct "bump step", with the at_step ACL, e.g...
> >>
> >> external_acl_type sni ttl=30 concurrency=X children-max=Y
> >> children-startup=Z %ssl::>sni /path/to/your/helper
> >>
> >> acl sni_exclusions external sni
> >> acl tcp_level at_step SslBump1
> >> acl client_hello_peeked at_step SslBump2
> >>
> >> ssl_bump peek tcp_level all
> >> ssl_bump splice client_hello_peeked sni_exclusions
> >> ssl_bump bump all
> >>
> >> Hope that helps,
> >>
> >> Nathan.
> >>
> >> On 13 April 2015 at 04:12, Stanford Prescott <stan.prescott at gmail.com>
> >> wrote:
> >> > I would like to give my users the ability to "not bump" certain
> sites. I
> >> > tried to use the examples given on the SSLPeekandSplice wiki page but
> >> > can't
> >> > get it to work.
> >> >
> >> > This is a snippet of my squid.conf file.
> >> >
> >> > https_port 192.168.10.1:808 intercept ssl-bump
> >> > generate-host-certificates=on
> >> > dynamic_cert_mem_cache_size=4MB
> >> > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
> >> >
> >> > http_port 192.168.20.1:800 intercept
> >> > https_port 192.168.20.1:808 intercept ssl-bump
> >> > generate-host-certificates=on
> >> > dynamic_cert_mem_cache_size=4MB
> >> > cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
> >> >
> >> > http_port 127.0.0.1:800 intercept
> >> >
> >> > sslproxy_cert_error allow all
> >> > sslproxy_flags DONT_VERIFY_PEER
> >> > sslproxy_session_cache_size 4 MB
> >> >
> >> > acl serverIsBank dstdomain wellsfargo.com
> >> >
> >> > ssl_bump server-first all
> >> >
> >> > ssl_bump none localhostgreen
> >> > ssl_bump none localhostpurple
> >> >
> >> > ssl_bump splice serverIsBank
> >> > ssl_bump peek all
> >> > ssl_bump bump all
> >> > sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
> >> > /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
> >> > sslcrtd_children 5
> >> >
> >> >
> >> > When I start squid I don't get any error messages and all pages, http
> >> > and
> >> > https, load properly. The problem is, using the example above, the
> >> > https://www.wellsfargo.com website is still getting bumped,
> evidenced by
> >> > the
> >> > appearance of the ssl website in the web proxy access logs. When I
> don't
> >> > have ssl_bump enabled then no https websites appear in the access
> logs,
> >> > as
> >> > it should be. But, enabling ssl_bump and peek and splice, web sites
> that
> >> > I
> >> > am trying not to bump still seem to be getting bumped.
> >> >
> >> > Any suggestions on how to properly "not bump" certain websites.
> >> >
> >> > Thanks,
> >> >
> >> > Stan
> >> >
> >> > _______________________________________________
> >> > squid-users mailing list
> >> > squid-users at lists.squid-cache.org
> >> > http://lists.squid-cache.org/listinfo/squid-users
> >> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150506/c5a72b63/attachment-0001.html>


More information about the squid-users mailing list