[squid-users] Squid 3.5.10 SSL Bump whitelist domains

Thu Oct 22 14:05:48 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Never - I repeat, never! - Do not copy other people's pieces config, if
you do not understand what they mean.

It is not necessary to engage in copy-paste. In the case of
configurations need to thoroughly understand what you are doing.

net_bump is from _my_ config, this is acl contains SRC networks from LAN.

22.10.15 20:01, luizcasey at gmail.com пишет:
> Here is the config I am currently using based on your suggestion earlier. However it does not
start. I have also added some questions to each for verification
purposes to make sure I am understanding what is actually going on.
>
> https_port 4827 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt
key=/etc/squid/certs/squid.key
> http_port 3401 intercept
>
> logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt
> access_log /var/log/squid/access.log squid
>
> cache deny all < — No caching.
>
> acl step1 at_step SslBump1 <— What is this doing ??
> acl whitelist_ssl ssl::server_name
"/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for
SSL
>
> ssl_bump peek step1   <— Try to find server_name ?
> ssl_bump splice whitelist_ssl <— Ignore whitlist_ssl domains and let
it through
> ssl_bump bump net_bump <— ??? This I don’t get since there is no
net_bump acl ? Should this just be all ?
> ssl_bump splice all <— Splice everything else that couldn’t be bumped ??
>
> acl http proto http  <— Allow http photo
> acl whitelist dstdomain
"/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for
http
>
> acl https proto https  <— Allow https
> acl port_80 port 80  <— Allow port 80. Is this redundant ??
> acl port_443 port 443 < — Allow port 443. Is this redundant ??
>
> http_access allow http port_80 whitelist    <— Allow whitelisted
domains on port 80
> http_access allow https port_443 whitelist_ssl <— Allow whitelisted
domains on 443
>
> http_access deny al <— Deny all
>
>
> #######LOGS
>
> 2015/10/22 09:41:10| Processing: access_log /var/log/squid/access.log
squid
> 2015/10/22 09:41:10| Processing: cache deny all
> 2015/10/22 09:41:10| Processing: acl step1 at_step SslBump1
> 2015/10/22 09:41:10| Processing: acl whitelist_ssl ssl::server_name
"/etc/squid/git_allowed_domains/allowed_domains"
> 2015/10/22 09:41:10| Processing: ssl_bump peek step1
> 2015/10/22 09:41:10| Processing: ssl_bump splice whitelist_ssl
> 2015/10/22 09:41:10| Processing: ssl_bump bump net_bump     <——— I
assume again this is because no all for net_bump.
> 2015/10/22 09:41:10| ACL not found: net_bump
> FATAL: Bungled /etc/squid/squid.conf line 22: ssl_bump bump net_bump
> Squid Cache (Version 3.5.10): Terminated abnormally.
> CPU Usage: 0.012 seconds = 0.003 user + 0.009 sys
> Maximum Resident Size: 26208 KB
> Page faults with physical i/o: 0
>
>
> If I change "ssl_bump bump net_bump" to "ssl_bump bump all” It starts
up but it still fails to allow any https through even those on the
whitelist_ssl file but allows http to those domains. Not sure what I am
doing wrong here.
>
>
>> On Oct 21, 2015, at 8:16 PM, luizcasey at gmail.com wrote:
>>
>> Alex,
>> So what do you recommend to do here ? I just need a simple whitelist
file for both http/https. I have a config that works on 3.4 but would
like to upgrade to 3.5 and the current config we have won't cut it. Just
need a simple if you are in this list allow if not deny. No need for any
ssl validation or anything.
>>
>>> On Oct 21, 2015, at 6:49 PM, Alex Rousskov
<rousskov at measurement-factory.com> wrote:
>>>
>>>> On 10/21/2015 02:49 PM, Yuri Voinov wrote:
>>>>
>>>> Working config snippet for 3.5.x looks like this:
>>>>
>>>> ssl_bump peek get_sni_at_step1
>>>> ssl_bump splice spliced_hosts
>>>> ssl_bump bump net_bump
>>>
>>>
>>> The above config leaves the following question unanswered:
>>>
>>> Q: What happens if neither spliced_hosts nor net_bump match at bumping
>>> step #2?
>>>
>>>
>>> Leaving questions unanswered is a bad idea for ssl_bump rules because
>>> defaults are complex (and used to be broken). To answer that question
>>> (instead of forcing Squid to guess the answer), add a forth catch-all
>>> rule. For example, this is how the latest Squids would guess:
>>>
>>> ssl_bump peek step1
>>> ssl_bump splice spliced_hosts
>>> ssl_bump bump net_bump
>>> ssl_bump splice all
>>>
>>>
>>> If spliced_hosts ACL negation works reliably, then the above is
>>> equivalent to:
>>>
>>> ssl_bump peek step1
>>> ssl_bump bump !spliced_hosts net_bump
>>> ssl_bump splice all
>>>
>>> but I recommend avoiding ACL negation in the actual rules.
>>>
>>>
>>> Finally, please make sure your http_access rules correctly handle
>>> CONNECT requests (real for forwarded connections and fake ones for
>>> intercepted connections). This may be difficult to do right now due to
>>> bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>> P.S. I renamed get_sni_at_step1 to step1 in the above examples because
>>> that ACL itself does not know anything about SNI and does not force
>>> Squid to get SNI.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWKO08AAoJENNXIZxhPexGCjsH/3uivwA/CxDXlucn109VAETi
pyZt8EbAI+0a6q8dETuEGnQO6O80TZCoN5oGGdfUJT/8n4zels5JnLk92VA1v3PJ
A29aoj7VCSuD7xUMZfdku0Aq9f7imLm6nCiLGD1W7WS54MtofCtyfQFsoIpp9Edi
XtE9Cbe8E+NWddneXOZlR/pDNOkYPf9vXqkqqM2oYpD22pHdkAFD8vNWCgZwa7p1
oUDenZACXbOZIuWG7c8NflPuPT4TqQShAC/YwB7MGm78OrNAg9K2ZH8yQ3xN/ftY
y68x+77XY0L7fyZxqeD6gXoELOtoqfpoKR097nmj80dVlqAX6xZkB8PRjVOK+2o=
=q9Gf
-----END PGP SIGNATURE-----