[squid-users] SSL Peek and Splice

James Lay jlay at slave-tothe-box.net
Thu Oct 1 11:51:37 UTC 2015


On Thu, 2015-10-01 at 13:26 +0200, Job wrote:

> Hello,
> 
> by reading the 3.5 Squid verson "Peek and splice" features:
> http://wiki.squid-cache.org/Features/SslPeekAndSplice
> 
> i would like to ask you two questions, please:
> 
> 1. in this implementations, i have to install the selfmade Certification Authority as for SSL Bump?
> 2. how can i block domain (dstdomain with squid) with Peek and Splice? It seems not possible by reading the document
> 
> Thank you for your patience and many thanks!
> 
> Francesco
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


I've found that with peek/splice, instead of stare/bump, I did not need
to install the certificate on the end device (daughter got a new phone
and I forgot to install it...still worked anyway...cool).

Config below for exactly what you're wanting...change netblocks to what
you're using and change cert locations and what not.  Before just doing
a copy/paste and go, I would recommend reading the docs to get a better
understanding of what the below directives mean.  The file http_url.txt
is regex so it will have entries like \.apple\.com.

acl localnet src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"

http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports
http_access allow allowed_http_sites
http_access deny all

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek all
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/http_url.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all

sslproxy_capath /etc/ssl/certs

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5

http_port 3128 intercept
https_port 3129 intercept ssl-bump
cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem
cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem
key=/opt/etc/squid/certs/sslsplit_ca_key.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslflags=NO_SESSION_REUSE

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %
ssl::>cert_subject %>Hs %<st %Ss:%Sh

access_log syslog:daemon.info mine

refresh_pattern -i (cgi-bin|\?) 0       0%      0
refresh_pattern .               0       20%     4320

coredump_dir /opt/var

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151001/90173df2/attachment.html>


More information about the squid-users mailing list