[squid-users] Squid 3.5.19 how to find banking server name for no bump

Stanford Prescott stan.prescott at gmail.com
Tue Jun 28 23:47:47 UTC 2016 

When I enter .wellsfargo.com in

*acl tls_s1_connect at_step SslBump1*
*acl tls_s2_client_hello at_step SslBump2*
*acl tls_s3_server_hello at_step SslBump3*

*acl tls_server_name_is_ip ssl::server_name_regex
^[0-9]+.[0-9]+.[0-9]+.[0-9]+n*
*acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>*
*acl tls_server_is_bank ssl::server_name .wellsfargo.com
<http://wellsfargo.com>*
*acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank*

*ssl_bump peek tls_s1_connect all*
*ssl_bump splice tls_s2_client_hello tls_to_splice*
*ssl_bump stare tls_s2_client_hello all*
*ssl_bump bump tls_s3_server_hello all*


it appears that the banking site is still getting bumped i.e.like in this
access.log snippet

*1467156887.817    257 10.40.40.100 TAG_NONE/200 0 CONNECT
54.149.224.177:443 <http://54.149.224.177:443> -
ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> -*
*1467156888.008     94 10.40.40.100 TCP_MISS/200 213 POST
https://tiles.services.mozilla.com/v2/links/view
<https://tiles.services.mozilla.com/v2/links/view> -
ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> application/json*
*1467156893.774     75 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156893.847    117 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156893.875    120 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.221.75:443 <http://172.230.221.75:443> -
ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
*1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.221.75:443 <http://172.230.221.75:443> -
ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
*1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.221.75:443 <http://172.230.221.75:443> -
ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
*1467156893.875    112 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156894.109    306 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156894.109    308 10.40.40.100 TAG_NONE/200 0 CONNECT
172.230.102.185:443 <http://172.230.102.185:443> -
ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
*1467156895.488     72 10.40.40.100 TAG_NONE/200 0 CONNECT
216.58.194.98:443 <http://216.58.194.98:443> - ORIGINAL_DST/216.58.194.98
<http://216.58.194.98> -*
*1467156895.513     98 10.40.40.100 TAG_NONE/200 0 CONNECT
216.58.194.70:443 <http://216.58.194.70:443> - ORIGINAL_DST/216.58.194.70
<http://216.58.194.70> -*
*1467156895.648     66 10.40.40.100 TCP_MISS/302 739 GET
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=
<https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=>
- ORIGINAL_DST/216.58.194.98 <http://216.58.194.98> image/gif*
*1467156895.664     82 10.40.40.100 TCP_MISS/200 649 GET
https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808
<https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808>?
- ORIGINAL_DST/216.58.194.70 <http://216.58.194.70> image/gif*
*1467156895.920    250 10.40.40.100 TAG_NONE/200 0 CONNECT 24.155.92.60:443
<http://24.155.92.60:443> - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60>
-*
*1467156896.061     79 10.40.40.100 TCP_MISS/200 503 GET
https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630
<https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630>
- ORIGINAL_DST/24.155.92.60 <http://24.155.92.60> image/gif*
*1467156899.837   5727 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
*1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
connect.secure.wellsfargo.com:443
<http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
<http://159.45.66.156> -*
*1467156899.837   5679 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
*1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
connect.secure.wellsfargo.com:443
<http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
<http://159.45.66.156> -*
*1467156899.838   5680 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
*1467156899.838   5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
connect.secure.wellsfargo.com:443
<http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
<http://159.45.66.156> -*
*1467156900.836   5421 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*
*1467156900.836   5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*
*1467156900.837   5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.2.142:443
<http://159.45.2.142:443> - HIER_NONE/- -*
*1467156900.837   5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT
static.wellsfargo.com:443 <http://static.wellsfargo.com:443> -
ORIGINAL_DST/159.45.2.142 <http://159.45.2.142> -*
*1467156900.838   5423 10.40.40.100 TAG_NONE/200 0 CONNECT
159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*
*1467156900.838   5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*

If I disable sslbumping then the bank site does not get bumped, of course.

1467157349.321    230 10.40.40.100 TCP_MISS/301 243 GET
http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 -

Here is my squid.conf with bumping enabled.

visible_hostname smoothwall

# Uncomment the following to send debug info to /var/log/squid/cache.log
#debug_options ALL,1 33,2 28,9

# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.40.40.1
acl localnetgreen src 10.40.40.0/24
acl SWE_subnets          src
"/var/smoothwall/mods/proxy/acls/src_subnets.acl"

acl SSL_ports port 445 443 441 563
acl Safe_ports port 80     # http
acl Safe_ports port 81     # smoothwall http
acl Safe_ports port 21     # ftp
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70     # gopher
acl Safe_ports port 210       # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http

acl CONNECT method CONNECT

# TAG: http_access
# ----------------------------------------------------------------

http_access allow SWE_subnets


http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnetgreen
http_access allow CONNECT localnetgreen

http_access allow localhostgreen
http_access allow CONNECT localhostgreen

# http_port and https_port
#----------------------------------------------------------------------------

# For forward-proxy port. Squid uses this port to serve error pages, ftp
icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127

http_port 10.40.40.1:800 intercept
https_port 10.40.40.1:808 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression
dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem


http_port 127.0.0.1:800 intercept

sslproxy_session_cache_size 4 MB

ssl_bump none localhostgreen

sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

acl tls_allowed_hsts ssl::server_name .akamaihd.net
acl tls_server_is_bank ssl::server_name .wellsfargo.com
acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

ssl_bump peek tls_s1_connect all
ssl_bump splice tls_s2_client_hello tls_to_splice
ssl_bump stare tls_s2_client_hello all
ssl_bump bump tls_s3_server_hello all

sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
/var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5

http_access deny all

cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF

# CACHE OPTIONS
#
----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid

cache_swap_high 100
cache_swap_low 80

cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB

cache_dir aufs /var/spool/squid/cache 1024 16 256

maximum_object_size 33 MB

minimum_object_size 0 KB


request_body_max_size 0 KB

# OTHER OPTIONS
#
----------------------------------------------------------------------------
#via off
forwarded_for off

pid_filename /var/run/squid.pid

shutdown_lifetime 10 seconds
#icp_port 3130

half_closed_clients off

umask 022

logfile_rotate 0

strip_query_terms off





On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 29/06/2016 2:02 a.m., Stanford Prescott wrote:
> > I have the proper peek and splice and bump configuration of acls setup in
> > my squid.conf file for no-bump of some web sites. I need help how to
> enter
> > the banking hosts and or server names in a way that the peek and splice
> > configuration will determine it is a banking site that I don't want
> bumped.
> >
> > For example, if a user enters www.wellsfargo.com for online banking my
> > current config still bumps wellsfargo.com. What would I need to enter
> for
> > wellsfargo.com so that banking server will not be bumped?
> >
>
> Depends on what you mean by "enter".
>
> Are you asking for the ACL value?
>   .wellfargo.com
>
> Are you asking for the ACL definition?
>  acl banks ssl::server_name .wellsfargo.com
>
> Or are you asking for a whole SSL-Bump configuration example?
>  <http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160628/bc409bc1/attachment-0001.html>

More information about the squid-users mailing list