[squid-users] High CPU Usage with ssl_bump

Odhiambo Washington odhiambo at gmail.com
Thu Apr 21 21:26:58 UTC 2016 

On 21 April 2016 at 23:14, Alex Rousskov <rousskov at measurement-factory.com>
wrote:

> On 04/21/2016 01:59 PM, Odhiambo Washington wrote:
> > On 21 April 2016 at 22:04, Amos Jeffries wrote:
> >
> >     On 22/04/2016 6:20 a.m., Odhiambo Washington wrote:
> >     > I have now changed to *configurations suggested specifically for
> your use
> >     > case, on this email thread* :)
>
> >     > acl no_ssl_interception ssl::server_name
> >     > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> >     > ssl_bump splice no_ssl_interception
> >     > ssl_bump stare all
> >     > ssl_bump bump all
>
>
> >     No the "stare" being done will prevent splice and you will see
> breakage
> >     or unexpected things again.
> >     You have to replace 'stare' with 'peek' AND replace 'bump' with
> >     'splice'.
>
>
> > Like below???
>
>
> > acl no_ssl_interception ssl::server_name
> > "/usr/local/etc/squid/ssl_bump_broken_sites.txt"
> > ssl_bump splice no_ssl_interception
> > ssl_bump peek all
> > ssl_bump splice all
>
>
> Logging aside, your latest random configuration is equivalent to
>
>   ssl_bump splice all
>
> which means you are better off not intercepting SSL at all, which brings
> us back to the old question: What do you want Squid to do?
>

If I could intercept SSL and do nothing EXCEPT subject the domains to time
ACLs, that'd be all. I do not need any bumping to be precise.
I just want the data passing through squid for me to determine who is
allowed to access it and at what time.

I do have time ACLs, which I use in conjunction with MAC ACLs and certain
domain, like facebook.com. Right now I rely on destdomain to identify the
domains.
With domains using SSL, I cannot use destdomain, right? Let me demonstrate
with config snippets from my squid.conf, perhaps that would explain it
better and maybe I will find a better easier way out that this ssl_bump
monster:-)

acl TIMEweekdaysALLDAY time MTWHF 09:00-17:00
acl TIMEafterhoursMORN time MTWHF 00:00-09:00
acl TIMElunch time MTWHF 12:00-13:59
acl TIMEafterhoursAFT time MTWHF 14:30-23:59
acl TIMEsatMORN time A 00:00-07:00
acl TIMEsatAFT time A 11:00-23:59
acl TIMEsatALLDAY time A 00:00-23:59
acl TIMEsundALLDAY time S 00:00-23:59

# Internet Access Regulation
# Some privileged staff - can browse unrestricted
acl privileged-staff arp "/usr/local/etc/squid/privileged_mac_addresses.txt"

# Sites staff waste all their time on - Social Networks, streaming sites, etc
acl TIMEWASTAGESITES dstdomain "/usr/local/etc/squid/time_wastage_sites.txt"

# TIMEWASTAGESITES
http_access allow TIMEWASTAGESITES privileged-staff
http_access allow TIMEWASTAGESITES TIMElunch
http_access allow TIMEWASTAGESITES TIMEafterhoursAFT
http_access allow TIMEWASTAGESITES TIMEafterhoursMORN
http_access allow TIMEWASTAGESITES TIMEsatALLDAY
http_access allow TIMEWASTAGESITES TIMEsundALLDAY
http_access deny  TIMEWASTAGESITES


Now, the above used to work until facebook.com, youtube.com, and
others switched to HTTPS. After that it wasn't possible for me to
control access to them.

So really, all I want is the ability to intercept SSL and subject it
to those time ACLs for a class of users. Nothing more.



> If you want Squid to not intrude except when terminating prohibited
> traffic, then start with this sketch:
>
>   ssl_bump terminate prohibited_traffic
>   ssl_bump peek all
>   ssl_bump splice all
>

Lemme see if I understand this. I have a problem wrapping my head around
'terminate' (as a terminology, maybe) and 'prohibited_traffic' (also as a
terminology).
So, are you saying that prohibited_traffic here is something like:

acl TIMEWASTAGE_SSL
ssl::server_name "/usr/local/etc/squid/time_wastage_SSL_sites.txt"

And in that file I have
.facebook.com
.youtube.com
...

Then I just apply my usual time ACLs..

http_access allow TIMEWASTAGESITES_SSL privileged_staff
http_access allow TIMEWASTAGESITES_SSL TIMElunch
http_access allow TIMEWASTAGESITES_SSL TIMEafterhoursAFT
http_access allow TIMEWASTAGESITES_SSL TIMEafterhoursMORN
http_access allow TIMEWASTAGESITES_SSL TIMEsatALLDAY
http_access allow TIMEWASTAGESITES_SSL TIMEsundALLDAY
http_access deny  TIMEWASTAGESITES_SSL

That is more like all I want - use *ssl::server_name* instead of *dstdomain.
* The sites are NOT prohibited per se, and 'terminate' kinda scares me. I
need to RTFM about this 'terminate' again and again until I can sing it:)



> If you want Squid to intrude (where possible) and block prohibited
> traffic, then install your CA certificates on all user devices and start
> with this sketch:
>
>   ssl_bump splice things_that_are_impossible_to_bump
>   ssl_bump stare all
>   ssl_bump bump all
>   http_access deny prohibited_traffic
>
> Alex.
>
>

I actually believe I do not need any mention of ssl_bump, but the confusion
for me arises out of TWO things:

1. In my firewall (FreeBSD PF), redirecting traffic destined to port 443
via squid wasn't an option prior to the intruduction of the SSL
interception, right?
2. In squid.conf, I did not yet figure out if I can use just


     https_port 13129 intercept

Instead of

    https_ports NNNN intercept ssl-bump ...... ....



I hope this time round I have explained myself well.

Thank you.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160422/e2ad236b/attachment-0001.html>

More information about the squid-users mailing list