[squid-users] Squid 3.5.19 how to find banking server name for no bump

Stanford Prescott stan.prescott at gmail.com
Sun Jul 10 14:44:15 UTC 2016 

Thank you for that. I do already have a method set up via my squid proxy UI
to allow clients to bypass the squid proxy via iptables rules if they need
to.

On Wed, Jun 29, 2016 at 2:57 AM, Eliezer Croitoru <eliezer at ngtech.co.il>
wrote:

> Hey,
>
>
>
> I have seen that you are using squid in intercept mode either on Linux or
> some BSD.
>
> If there is a site\server that you don't want to enter squid at all you
> will need to bypass it in the FW\IPTABLES level.
>
> In linux you would be able to use some ipset list that will be bypassed
> from being intercepted.
>
> If you are interested reply and I will try to give you an example how to
> use it.
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru <http://ngtech.co.il/lmgtfy/>
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> *From:* squid-users [mailto:squid-users-bounces at lists.squid-cache.org] *On
> Behalf Of *Stanford Prescott
> *Sent:* Wednesday, June 29, 2016 2:56 AM
> *To:* Amos Jeffries
> *Cc:* squid-users
> *Subject:* Re: [squid-users] Squid 3.5.19 how to find banking server name
> for no bump
>
>
>
> I forgot to mention, I am using squid 3.5.19
>
>
>
> On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott <
> stan.prescott at gmail.com> wrote:
>
> When I enter .wellsfargo.com in
>
>
>
> *acl tls_s1_connect at_step SslBump1*
>
> *acl tls_s2_client_hello at_step SslBump2*
>
> *acl tls_s3_server_hello at_step SslBump3*
>
>
>
> *acl tls_server_name_is_ip ssl::server_name_regex
> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n*
>
> *acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>*
>
> *acl tls_server_is_bank ssl::server_name .wellsfargo.com
> <http://wellsfargo.com>*
>
> *acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank*
>
>
>
> *ssl_bump peek tls_s1_connect all*
>
> *ssl_bump splice tls_s2_client_hello tls_to_splice*
>
> *ssl_bump stare tls_s2_client_hello all*
>
> *ssl_bump bump tls_s3_server_hello all*
>
>
>
> it appears that the banking site is still getting bumped i.e.like in this
> access.log snippet
>
>
>
> *1467156887.817    257 10.40.40.100 TAG_NONE/200 0 CONNECT
> 54.149.224.177:443 <http://54.149.224.177:443> -
> ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> -*
>
> *1467156888.008     94 10.40.40.100 TCP_MISS/200 213 POST
> https://tiles.services.mozilla.com/v2/links/view
> <https://tiles.services.mozilla.com/v2/links/view> -
> ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> application/json*
>
> *1467156893.774     75 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156893.847    117 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156893.875    120 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.221.75:443 <http://172.230.221.75:443> -
> ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
>
> *1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.221.75:443 <http://172.230.221.75:443> -
> ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
>
> *1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.221.75:443 <http://172.230.221.75:443> -
> ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
>
> *1467156893.875    112 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156894.109    306 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156894.109    308 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
>
> *1467156895.488     72 10.40.40.100 TAG_NONE/200 0 CONNECT
> 216.58.194.98:443 <http://216.58.194.98:443> - ORIGINAL_DST/216.58.194.98
> <http://216.58.194.98> -*
>
> *1467156895.513     98 10.40.40.100 TAG_NONE/200 0 CONNECT
> 216.58.194.70:443 <http://216.58.194.70:443> - ORIGINAL_DST/216.58.194.70
> <http://216.58.194.70> -*
>
> *1467156895.648     66 10.40.40.100 TCP_MISS/302 739 GET
> https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=
> <https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=>
> - ORIGINAL_DST/216.58.194.98 <http://216.58.194.98> image/gif*
>
> *1467156895.664     82 10.40.40.100 TCP_MISS/200 649 GET
> https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808
> <https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808>?
> - ORIGINAL_DST/216.58.194.70 <http://216.58.194.70> image/gif*
>
> *1467156895.920    250 10.40.40.100 TAG_NONE/200 0 CONNECT
> 24.155.92.60:443 <http://24.155.92.60:443> - ORIGINAL_DST/24.155.92.60
> <http://24.155.92.60> -*
>
> *1467156896.061     79 10.40.40.100 TCP_MISS/200 503 GET
> https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630
> <https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630>
> - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60> image/gif*
>
> *1467156899.837   5727 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
>
> *1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
> connect.secure.wellsfargo.com:443
> <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
> <http://159.45.66.156> -*
>
> *1467156899.837   5679 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
>
> *1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
> connect.secure.wellsfargo.com:443
> <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
> <http://159.45.66.156> -*
>
> *1467156899.838   5680 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
>
> *1467156899.838   5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
> connect.secure.wellsfargo.com:443
> <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
> <http://159.45.66.156> -*
>
> *1467156900.836   5421 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*
>
> *1467156900.836   5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
> www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
> ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*
>
> *1467156900.837   5423 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.2.142:443 <http://159.45.2.142:443> - HIER_NONE/- -*
>
> *1467156900.837   5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT
> static.wellsfargo.com:443 <http://static.wellsfargo.com:443> -
> ORIGINAL_DST/159.45.2.142 <http://159.45.2.142> -*
>
> *1467156900.838   5423 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*
>
> *1467156900.838   5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
> www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
> ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*
>
>
>
> If I disable sslbumping then the bank site does not get bumped, of course.
>
>
>
> 1467157349.321    230 10.40.40.100 TCP_MISS/301 243 GET
> http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 -
>
>
>
> Here is my squid.conf with bumping enabled.
>
>
>
> visible_hostname smoothwall
>
>
>
> # Uncomment the following to send debug info to /var/log/squid/cache.log
>
> #debug_options ALL,1 33,2 28,9
>
>
>
> # ACCESS CONTROLS
>
> # ----------------------------------------------------------------
>
> acl localhostgreen src 10.40.40.1
>
> acl localnetgreen src 10.40.40.0/24
>
> acl SWE_subnets          src
> "/var/smoothwall/mods/proxy/acls/src_subnets.acl"
>
>
>
> acl SSL_ports port 445 443 441 563
>
> acl Safe_ports port 80     # http
>
> acl Safe_ports port 81     # smoothwall http
>
> acl Safe_ports port 21     # ftp
>
> acl Safe_ports port 445 443 441 563 # https, snews
>
> acl Safe_ports port 70     # gopher
>
> acl Safe_ports port 210       # wais
>
> acl Safe_ports port 1025-65535 # unregistered ports
>
> acl Safe_ports port 280       # http-mgmt
>
> acl Safe_ports port 488       # gss-http
>
> acl Safe_ports port 591       # filemaker
>
> acl Safe_ports port 777       # multiling http
>
>
>
> acl CONNECT method CONNECT
>
>
>
> # TAG: http_access
>
> # ----------------------------------------------------------------
>
>
>
> http_access allow SWE_subnets
>
>
>
>
>
> http_access allow localhost
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
>
>
> http_access allow localnetgreen
>
> http_access allow CONNECT localnetgreen
>
>
>
> http_access allow localhostgreen
>
> http_access allow CONNECT localhostgreen
>
>
>
> # http_port and https_port
>
>
> #----------------------------------------------------------------------------
>
>
>
> # For forward-proxy port. Squid uses this port to serve error pages, ftp
> icons and communication with other proxies.
>
>
> #----------------------------------------------------------------------------
>
> http_port 3127
>
>
>
> http_port 10.40.40.1:800 intercept
>
> https_port 10.40.40.1:808 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
> sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression
> dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem
>
>
>
>
>
> http_port 127.0.0.1:800 intercept
>
>
>
> sslproxy_session_cache_size 4 MB
>
>
>
> ssl_bump none localhostgreen
>
>
>
> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
>
> sslproxy_cipher
> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>
>
>
> acl tls_s1_connect at_step SslBump1
>
> acl tls_s2_client_hello at_step SslBump2
>
> acl tls_s3_server_hello at_step SslBump3
>
>
>
> acl tls_allowed_hsts ssl::server_name .akamaihd.net
>
> acl tls_server_is_bank ssl::server_name .wellsfargo.com
>
> acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank
>
>
>
> ssl_bump peek tls_s1_connect all
>
> ssl_bump splice tls_s2_client_hello tls_to_splice
>
> ssl_bump stare tls_s2_client_hello all
>
> ssl_bump bump tls_s3_server_hello all
>
>
>
> sslproxy_cert_error deny all
>
> sslproxy_flags DONT_VERIFY_PEER
>
> sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
> /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
>
> sslcrtd_children 5
>
>
>
> http_access deny all
>
>
>
> cache_replacement_policy heap GDSF
>
> memory_replacement_policy heap GDSF
>
>
>
> # CACHE OPTIONS
>
> #
> ----------------------------------------------------------------------------
>
> cache_effective_user squid
>
> cache_effective_group squid
>
>
>
> cache_swap_high 100
>
> cache_swap_low 80
>
>
>
> cache_access_log stdio:/var/log/squid/access.log
>
> cache_log /var/log/squid/cache.log
>
> cache_mem 64 MB
>
>
>
> cache_dir aufs /var/spool/squid/cache 1024 16 256
>
>
>
> maximum_object_size 33 MB
>
>
>
> minimum_object_size 0 KB
>
>
>
>
>
> request_body_max_size 0 KB
>
>
>
> # OTHER OPTIONS
>
> #
> ----------------------------------------------------------------------------
>
> #via off
>
> forwarded_for off
>
>
>
> pid_filename /var/run/squid.pid
>
>
>
> shutdown_lifetime 10 seconds
>
> #icp_port 3130
>
>
>
> half_closed_clients off
>
>
>
> umask 022
>
>
>
> logfile_rotate 0
>
>
>
> strip_query_terms off
>
>
>
>
>
>
>
>
>
>
>
> On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
> On 29/06/2016 2:02 a.m., Stanford Prescott wrote:
> > I have the proper peek and splice and bump configuration of acls setup in
> > my squid.conf file for no-bump of some web sites. I need help how to
> enter
> > the banking hosts and or server names in a way that the peek and splice
> > configuration will determine it is a banking site that I don't want
> bumped.
> >
> > For example, if a user enters www.wellsfargo.com for online banking my
> > current config still bumps wellsfargo.com. What would I need to enter
> for
> > wellsfargo.com so that banking server will not be bumped?
> >
>
> Depends on what you mean by "enter".
>
> Are you asking for the ACL value?
>   .wellfargo.com
>
> Are you asking for the ACL definition?
>  acl banks ssl::server_name .wellsfargo.com
>
> Or are you asking for a whole SSL-Bump configuration example?
>  <http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160710/65a155b4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160710/65a155b4/attachment-0001.png>

More information about the squid-users mailing list