[squid-users] SSL Bump - Splice - Chrome error

Yuri Voinov yvoinov at gmail.com
Tue Jan 5 14:57:27 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
You can write it easy ;)

Please note:

1. AFAIK, splice rule must be preceded by bump rule in your config.
2. You can use ssl::server_name_regex or ssl::server_name for a decision
3. In most cases your users must have your cache CA's when cache cannot
splice

Config snippet, for example, will looks like this:

# SSL bump rules 1
acl step1 at_step SslBump1
acl Splice_Only ssl::server_name_regex -i
"/usr/local/squid/etc/google_sites"
ssl_bump splice Splice_Only
ssl_bump peek step1
ssl_bump bump all

Note: This snippet will bump all others, and tunnel Splice_Only acl sites.

# SSL bump rules 2
acl step1 at_step SslBump1
ssl_bump peek step1
acl Splice_Only ssl::server_name_regex -i
"/usr/local/squid/etc/google_sites"
ssl_bump splice Splice_Only
ssl_bump bump all

Note: This snippet will peek all, splice Splice_Only acl, and bump all
others.

Amos, Alex,

correct me if I somewhere wrong.

WBR, Yuri

PS. Also note: you must adjust https_port and/or other SSL options for
harden your cache's TLS connections to avoid other Chrome security
warnings. For example, avoid using SHA1 in your cache's CA, configure
EDH ciphers for outgoing _and_ client-to-cache connections, suppress
using SSLv2/SSLv3 (but keep in mind: you have _much_ old clients, like
IM, which is hardcoded to use SSLv2/SSLv3 and you will got
warnings/errors in your cache.log about it).

05.01.16 18:51, Alejandro Martinez пишет:
> I all
> I'm still lost, can I ask for a minimal working config splicing google.com
> sites ?
>
> I have made some additional checks (blocking QUIC), but with no lunk.
>
> I'm thinking creating an external helper that receives via
ssl::server_name
> and make a decision there, but if there is a chance with a simple text
file
> would appreciate that.
>
> Thanks.
>
>
> 2016-01-04 9:52 GMT-03:00 Alejandro Martinez <ajm.martinez at gmail.com>:
>
>> Thanks all for your help.
>>
>> Is there a minimal config example to see splicing correctly Google sites?
>>
>> It would be very helpful.
>> El 04/01/2016 09:28, "Amos Jeffries" <squid3 at treenet.co.nz> escribió:
>>
>>> On 4/01/2016 1:16 p.m., Alejandro Martinez wrote:
>>>> Thanks again Yuri.
>>>>
>>>> I have tried blocking udp protocol on port 80 and 443 but without luck.
>>>
>>> That does not help resolve the errors Chrome is displaying when using
>>> the proxy. It does help resolve the errors that happen by Chrome trying
>>> to bypass the proxy by using the proprietary QUIC protocol.
>>>
>>>>
>>>> Is it possible to make google sites work in transparent mode without
>>>> bumping ? only splicing ?
>>>>
>>>
>>> Of course. That is the purpose of splice. Bumping is optional.
>>>
>>> Amos
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWi9nXAAoJENNXIZxhPexG/FsH/21aB4HVW1VEBlHBpebgDllX
qNrMndyVNohyne9vloFOafl5Vs0IqhVQVMU1AJrLvXXNhTzRa2vSrud/xgi62AZ4
3C7V6OI+m+qfPXyjMjuyVZm2hkofUXBKn518ZzyjiV89Qzlr24FQv41v8j7ebYZo
Jn3YLk7FsSnZ/2q8zSERsXARr9OxBW6JJqlHDBF4FbUrDSRs67UAvJyrcDccNB1i
b539GdUHGGljftY2O1xpgSHBUelylWTWtfgE1qYKfTYoXqb3yhI3VkBx3+0AgCNY
3VJIwn5TU+j98rz3r7sd7re8KPtssY5jukVo1drLkSm9w1HOxL5kiLJ/MP+MnEg=
=S2qK
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160105/9a411197/attachment.html>


More information about the squid-users mailing list