[squid-users] SSL Bump - Splice - Chrome error

Alejandro Martinez ajm.martinez at gmail.com
Tue Jan 5 15:18:39 UTC 2016


Yuri thanks again.

I'm going to give it a try and post my results.

Alejandro

2016-01-05 11:57 GMT-03:00 Yuri Voinov <yvoinov at gmail.com>:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> You can write it easy ;)
>
> Please note:
>
> 1. AFAIK, splice rule must be preceded by bump rule in your config.
> 2. You can use ssl::server_name_regex or ssl::server_name for a decision
> 3. In most cases your users must have your cache CA's when cache cannot
> splice
>
> Config snippet, for example, will looks like this:
>
> # SSL bump rules 1
> acl step1 at_step SslBump1
> acl Splice_Only ssl::server_name_regex -i
> "/usr/local/squid/etc/google_sites"
> ssl_bump splice Splice_Only
> ssl_bump peek step1
> ssl_bump bump all
>
> Note: This snippet will bump all others, and tunnel Splice_Only acl sites.
>
> # SSL bump rules 2
> acl step1 at_step SslBump1
> ssl_bump peek step1
> acl Splice_Only ssl::server_name_regex -i
> "/usr/local/squid/etc/google_sites"
> ssl_bump splice Splice_Only
> ssl_bump bump all
>
> Note: This snippet will peek all, splice Splice_Only acl, and bump all
> others.
>
> Amos, Alex,
>
> correct me if I somewhere wrong.
>
> WBR, Yuri
>
> PS. Also note: you must adjust https_port and/or other SSL options for
> harden your cache's TLS connections to avoid other Chrome security
> warnings. For example, avoid using SHA1 in your cache's CA, configure EDH
> ciphers for outgoing _and_ client-to-cache connections, suppress using
> SSLv2/SSLv3 (but keep in mind: you have _much_ old clients, like IM, which
> is hardcoded to use SSLv2/SSLv3 and you will got warnings/errors in your
> cache.log about it).
>
> 05.01.16 18:51, Alejandro Martinez пишет:
>
> > I all
> > I'm still lost, can I ask for a minimal working config splicing
> google.com
> > sites ?
> >
> > I have made some additional checks (blocking QUIC), but with no lunk.
> >
> > I'm thinking creating an external helper that receives via
> ssl::server_name
> > and make a decision there, but if there is a chance with a simple text
> file
> > would appreciate that.
> >
> > Thanks.
> >
> >
> > 2016-01-04 9:52 GMT-03:00 Alejandro Martinez <ajm.martinez at gmail.com>
> <ajm.martinez at gmail.com>:
> >
> >> Thanks all for your help.
> >>
> >> Is there a minimal config example to see splicing correctly Google
> sites?
> >>
> >> It would be very helpful.
> >> El 04/01/2016 09:28, "Amos Jeffries" <squid3 at treenet.co.nz>
> <squid3 at treenet.co.nz> escribió:
> >>
> >>> On 4/01/2016 1:16 p.m., Alejandro Martinez wrote:
> >>>> Thanks again Yuri.
> >>>>
> >>>> I have tried blocking udp protocol on port 80 and 443 but without
> luck.
> >>>
> >>> That does not help resolve the errors Chrome is displaying when using
> >>> the proxy. It does help resolve the errors that happen by Chrome trying
> >>> to bypass the proxy by using the proprietary QUIC protocol.
> >>>
> >>>>
> >>>> Is it possible to make google sites work in transparent mode without
> >>>> bumping ? only splicing ?
> >>>>
> >>>
> >>> Of course. That is the purpose of splice. Bumping is optional.
> >>>
> >>> Amos
> >>> _______________________________________________
> >>> squid-users mailing list
> >>> squid-users at lists.squid-cache.org
> >>> http://lists.squid-cache.org/listinfo/squid-users
> >>>
> >>
> >
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJWi9nXAAoJENNXIZxhPexG/FsH/21aB4HVW1VEBlHBpebgDllX
> qNrMndyVNohyne9vloFOafl5Vs0IqhVQVMU1AJrLvXXNhTzRa2vSrud/xgi62AZ4
> 3C7V6OI+m+qfPXyjMjuyVZm2hkofUXBKn518ZzyjiV89Qzlr24FQv41v8j7ebYZo
> Jn3YLk7FsSnZ/2q8zSERsXARr9OxBW6JJqlHDBF4FbUrDSRs67UAvJyrcDccNB1i
> b539GdUHGGljftY2O1xpgSHBUelylWTWtfgE1qYKfTYoXqb3yhI3VkBx3+0AgCNY
> 3VJIwn5TU+j98rz3r7sd7re8KPtssY5jukVo1drLkSm9w1HOxL5kiLJ/MP+MnEg=
> =S2qK
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160105/5b4fd27d/attachment-0001.html>


More information about the squid-users mailing list