[squid-users] Squid Peek/Splice some issues

Eliezer Croitoru eliezer at ngtech.co.il
Tue Jun 21 07:02:22 UTC 2016 

Hey Ahmad,

 

Since these apps are having issues it means that squid or them are broken or … both.

The basic issue is that from one side you want to Intercept while you don't want to break the passing traffic.

Squid task is to work with every piece of the OS and the traffic including parsing and "understanding" the passing traffic.

The issue is that currently(3.5) squid doesn't have any way to not break HTTPS once it was intercepted and was unwrapped.

The more deep issue is that many applications are using HTTP+HTTPS in a way that needs couple twists and causes security complications.

It would be kind of "simple" to resolve the issue by bypassing squid SSL unwrapping.

If you don't care about security and you care more about caching what is possible and not caching "everything" this is the right solution.

It is possible to use a technique which will collect information about the destination HOST to be a valid HTTPS service before splicing but..

It has it's own overheads but if you care less about caching and more about the service then it's the right solution.

Just to illustrate, an ACL and filtering proxy will be pretty "simple" compared to a one with caching overheads since all the resources would be dedicated to the actual decision part of the service rather then the disks IO and cached objects DB lookups.

 

>From what I remember squid 4 is supposed to have a basic option that will differentiate between STANDARD https to other protocols.

I have not tested it yet but I am in still processing 4 ideas in general.

 

Eliezer

 

----

 <http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



 

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of --Ahmad--
Sent: Tuesday, June 21, 2016 12:43 AM
To: Squid Users
Subject: [squid-users] Squid Peek/Splice some issues

 

Hi ,

i have squid that is working on 3.5 .

traffic of t 80 and 443 traffic to Squid via IPTables.

Squid then passes traffic to ClamAV via C-ICAP. Squid is configured to intercept all SSL traffic and PKI has been setup and distributed to all clients.

we have a problem in  Skype of Business (Office 365) and Slack (Chat app)  seems its broken from squid intercept.

current versions we have :

*       Squid 3.5.19

*       C-ICAP 0.4.2

*       SquidclamAV 6.15

*       ClamAV 0.99.2

=====================

      here is squid.conf :

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8        # RFC1918 possible internal network

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

http_access allow localhost manager

http_access deny manager

 

# Squid normally listens to port 3128

http_port 3127

http_port 3128 intercept

 

 

coredump_dir /var/cache/squid

 

visible_hostname test1

 

cache_log /opt/var/log/squid/cache_log

cache_access_log /opt/var/log/squid/access_log

 

 

cache_effective_user squid

cache_effective_group squid

 

icap_enable on

icap_send_client_ip on

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

adaptation_access service_resp allow all

 

acl test-header dstdomain       test.com <http://test.com> 

request_header_add X-TEST-GUID TEST test-header

 

#Custom Error Pages

error_directory /opt/www/squid

 

# Squid listen Port

https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/etc/pki/squid/ca-key.pem cert=/opt/etc/pki/squid/ca.pem options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

 

# SSL Bump Config

always_direct allow all

ssl_bump server-first all 

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/lib/ssl_db -M 4MB

sslcrtd_children 32 startup=5 idle=1

 

 

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

 

 

cache_dir aufs /var/cache/squid 40000 16 256

store_dir_select_algorithm round-robin

minimum_object_size 0 KB

maximum_object_size 96 MB

memory_pools off

quick_abort_min 0 KB

quick_abort_max 0 KB

log_icp_queries off

client_db off

cache_mem 1500 MB

buffered_logs on

half_closed_clients off

dns_nameservers 10.192.0.1

=======================================================

 

 

i think the best is we ACLs setup to bypass the interception for these applications like Skype of Business (Office 365) and Slack (Chat app) .

 

 

thank you 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/523d9ea8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11307 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/523d9ea8/attachment-0001.png>

More information about the squid-users mailing list