[squid-users] filtering http(s) sites, transparently
James Lay
jlay at slave-tothe-box.net
Mon Apr 4 12:18:59 UTC 2016
On Sun, 2016-04-03 at 21:18 -0700, Jok Thuau wrote:
> I'm attempting to build a transparent proxy (policy based routing on
> firewall to squid proxy) with the following behavior:
>
>
>
> 1) proxies http traffic for a given set of domains, provide an message
> otherwise such "domain not allowed" or similar
> 2) proxies https traffic for a given set of domains (ideally, splicing
> those, so as not to break HSTS, if enabled), otherwise provide an
> error message (bumping and providing "domain not allowed")
>
>
>
> I'm attempting this with a 3.5.15 compiled with icap (not yet used)
> and ssl-bumping.
>
>
> Part 1 seems easy enough (and is well documented)...
>
>
> acl whitelist dstdomain .domain1.tld
>
> acl whitelist dstdomain .domain2.tld
>
>
> acl http_ok all-of whitelist !SSL_ports
>
>
> http_access allow http_ok
> http_access deny all
>
>
> Moving onto Part 2 (the peek and splice setup) appears to be the topic
> of a few discussions out there...
>
>
> acl sni_whitelist ssl::server_name .domain1.tld
> acl sni_whitelist ssl::server_name .domain2.tld
>
>
> ssl_bump peek step1
> ssl_bump splice sni_whitelist
> ssl_bump bump all
>
>
> It appears however that when combining the two, the generated
> certificate(s), instead of mimic'ing the original server's certificate
> comes out with the CN=<IP> where <IP> is the ip used by the "connect"
> part of the connection. In addition, it appears that only the first
> entry ever matches (at this point, i've tried so many combinations,
> i'm no longer certain of anything).
>
>
> If i remove *all* the http_access lines, then the behavior appears
> correct (from a "splicing/bumping" standpoint).
>
>
> Can anyone confirm that this is indeed possible to achieve?
>
>
> I believe, based on experimentation that any http_access i have,
> because of the "deny all" cause the bumping to "short circuit" and
> effectively send an early "access denied" based on the only
> information it has (the ip address from the "connect", rather than the
> SNI that would come later).
>
>
> Would a setup where "deny http+!whitelist" so have the allow be the
> default allow for the bumping to work and get to step2 and match the
> sni* acls somehow? (with a "deny step2 !sni_whitelist").
>
>
> Is 3.5.15 capable of doing this? If this requires some feature/effort,
> what would be the procedure to sponsor that work?
>
>
> Thanks,
> Jok
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
This may assist:
http://article.gmane.org/gmane.comp.web.squid.general/114389
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160404/af8c1c30/attachment.html>
More information about the squid-users
mailing list