[squid-users] Two questions regarding ssl_bump and peek/splice.

Tue Apr 19 13:16:13 UTC 2016

Can anyone point me to a deep dive or something like that about how ssl_bump and peek/splice etc work? The more technical the better.   I don't want to ask a ton of questions about some of the errors I'm getting without fully understanding what is going on.

I currently have squid working almost the way I want it, with just a few remaining issues.  One of them being is that with ssl sites I seem to get a lot of "not private, cert authority" messages then I have to add that site to an acl to not be bumped.    Regarding my first question, I want to understand why.

My second question I think is a quickie.  Can you run 2 log files?  Reason being is that I use squidanalyzer and it only reads the standard log format.  But there are better log formats for what I'm doing. I'd like to keep dual logs while I work on my own analyzer that reads that log file.   You can see the logformat line commented out along with some other log  lines.

Thanks much

Here is my current working config.

#Access Lists
acl internal src 192.168.200.0/21
acl wireless src 192.168.100.0/23

#Ports allowed through Squid
acl Safe_ports port 80
acl Safe_ports port 443
acl SSL_ports port 443
acl CONNECT method CONNECT

#acls from blacklist
acl allowed dstdomain -i "/etc/squid3/acls/http_allowed.acl"
acl prime dstdomain -i "/etc/squid3/acls/squid-prime.acl"
acl china dst -n "/etc/squid3/acls/ccd-china.acl"
acl india dst -n "/etc/squid3/acls/ccd-india.acl"
acl iran dst -n "/etc/squid3/acls/ccd-iran.acl"
acl nigeria dst -n "/etc/squid3/acls/ccd-nigeria.acl"
acl pakistan dst -n "/etc/squid3/acls/ccd-nigeria.acl"
acl romania dst -n "/etc/squid3/acls/ccd-romania.acl"
acl russia dst -n "/etc/squid3/acls/ccd-russia.acl"
acl syria dst -n "/etc/squid3/acls/ccd-syria.acl"
acl ukraine dst -n "/etc/squid3/acls/ccd-ukraine.acl"
acl uzbekistan dst -n "/etc/squid3/acls/ccd-uzbekistan.acl"
acl ips dst -n "/etc/squid3/acls/broken_ips.acl"

#allow/deny
http_access allow allowed
http_access allow ips
http_access deny prime
http_access deny china
http_access deny india
http_access deny iran
http_access deny nigeria
http_access deny pakistan
http_access deny romania
http_access deny russia
http_access deny syria
http_access deny ukraine
http_access deny uzbekistan

http_access allow internal
http_access allow wireless
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

#Bumping
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt"

#ssl_bump peek all
ssl_bump peek !broken_sites
ssl_bump splice all
#ssl_bump splice !broken_sites

sslproxy_capath /etc/ssl/certs

sslcrtd_program /lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1

#logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh

#access_log syslog:daemon.info mine
#access_log daemon:/var/log/squid3/test.log mine

#intercept
http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

#nameservers
dns_nameservers 192.168.201.1 8.8.8.8

#WCCPv2 items
wccp_version 2
wccp2_router 192.168.200.73
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=LNP1
wccp2_service dynamic 70 password=LNP1
wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

Bruce Markey | Network Security Analyst
STEINMAN COMMUNICATIONS
717.291.8758 (o) | bmarkey at steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160419/ac42f99c/attachment.html>