[squid-users] kinda confused about Peek and Splice

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 17 15:17:57 UTC 2015 

On 09/17/2015 04:00 AM, Marek Serafin wrote:
> Hello, I'm kinda confused about the "Peek and Splice" technique
> introduced in Squid 3.5.x.
> ----------------------
> My goal is to allow CONNECT-method ONLY to certain web-pages (mainly
> banks, payment systems). The rest of https-sites should be allways bumped.
> ---------------------
> And this can be easily achieved even in squid 3.3 (I'm talking about
> situation where browser is totally aware of using proxy server -- not
> transparent mode).
> 
> But when Squid allows CONNECT method - it allows any kind of TCP tunnel
> (e.g. OpenVPN over TCP or ssh tunnel).
> 
> So, my real question is - if it's possible - using the new technique
> (Peek and Splice) to allow Splice method - but ONLY to real HTTPS Sites
>  - not a ssh or VPN service?

The short answer to your question is "when splicing, it is only possible
to check whether the service is using SSL". Here are the details:

* Peeking or staring at step1 results in Squid parsing the client SSL
Hello. This does not guarantee that the client is an HTTPS client, but
it virtually guarantees that it is an SSL client.

* Peeking or staring at step2 results in Squid validating the server
certificate. This does not guarantee that the server is an HTTPS server,
but it virtually guarantees that it is an SSL server.

* Beyond step2, you have to bump to check that the SSL client and the
SSL server are going to talk HTTP after CONNECT and SSL handshake. There
is and will be no way around that. Staring allows you to bump if that is
what you want.

... where "X at stepN" means "action X matched at SslBump step #N".


However, your question seems to contradict your goal of splicing
connections to "certain" known servers and only to those servers: If you
know that example.com is a trusted bank, do you really need to check
that nobody is creating an ssh connection to that bank? If not, then
validating "bank" traffic beyond SSL handshake becomes irrelevant. You
simply trust the "bank" not to provide any "bad" services.


> (I'm still talking about the situation where browsers are aware of
> proxying)

Browser awareness does not really matter as far as non-HTTP detection is
concerned.


> I was thinking that it can be done by peeking in step 2 (peeing the
> server certificate) BUT there is a limitation: peeking at the server
> certificate usually precludes future bumping. So when we're peeking at
> step 2 we can only splice later (or terminate) - which is not what I
> wanted to achieve.

You do not need to bump to validate the server certificate (and, hence,
confirm that it is a known-to-you "bank"). If you want to bump, you can
stare instead of peeking.


> what is the main advantage of "Peek and
> Splice" comparing to old method (remember: browsers are aware of proxying).
> I can see advantage in transparent mode  - obtaining domain name by SNI.
> But in "normal mode" squid knows the domain-name because of the connect
> request?

In some cases, the CONNECT request contains an IP address instead of a
domain name.


HTH,

Alex.

More information about the squid-users mailing list