[squid-users] Squid 3.5.19 how to find banking server name for no bump

Stanford Prescott stan.prescott at gmail.com
Tue Jun 28 23:56:11 UTC 2016


I forgot to mention, I am using squid 3.5.19

On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott <stan.prescott at gmail.com>
wrote:

> When I enter .wellsfargo.com in
>
> *acl tls_s1_connect at_step SslBump1*
> *acl tls_s2_client_hello at_step SslBump2*
> *acl tls_s3_server_hello at_step SslBump3*
>
> *acl tls_server_name_is_ip ssl::server_name_regex
> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n*
> *acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>*
> *acl tls_server_is_bank ssl::server_name .wellsfargo.com
> <http://wellsfargo.com>*
> *acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank*
>
> *ssl_bump peek tls_s1_connect all*
> *ssl_bump splice tls_s2_client_hello tls_to_splice*
> *ssl_bump stare tls_s2_client_hello all*
> *ssl_bump bump tls_s3_server_hello all*
>
>
> it appears that the banking site is still getting bumped i.e.like in this
> access.log snippet
>
> *1467156887.817    257 10.40.40.100 TAG_NONE/200 0 CONNECT
> 54.149.224.177:443 <http://54.149.224.177:443> -
> ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> -*
> *1467156888.008     94 10.40.40.100 TCP_MISS/200 213 POST
> https://tiles.services.mozilla.com/v2/links/view
> <https://tiles.services.mozilla.com/v2/links/view> -
> ORIGINAL_DST/54.149.224.177 <http://54.149.224.177> application/json*
> *1467156893.774     75 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156893.847    117 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156893.875    120 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.221.75:443 <http://172.230.221.75:443> -
> ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
> *1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.221.75:443 <http://172.230.221.75:443> -
> ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
> *1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.221.75:443 <http://172.230.221.75:443> -
> ORIGINAL_DST/172.230.221.75 <http://172.230.221.75> -*
> *1467156893.875    112 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156894.109    306 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156894.109    308 10.40.40.100 TAG_NONE/200 0 CONNECT
> 172.230.102.185:443 <http://172.230.102.185:443> -
> ORIGINAL_DST/172.230.102.185 <http://172.230.102.185> -*
> *1467156895.488     72 10.40.40.100 TAG_NONE/200 0 CONNECT
> 216.58.194.98:443 <http://216.58.194.98:443> - ORIGINAL_DST/216.58.194.98
> <http://216.58.194.98> -*
> *1467156895.513     98 10.40.40.100 TAG_NONE/200 0 CONNECT
> 216.58.194.70:443 <http://216.58.194.70:443> - ORIGINAL_DST/216.58.194.70
> <http://216.58.194.70> -*
> *1467156895.648     66 10.40.40.100 TCP_MISS/302 739 GET
> https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=
> <https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=>
> - ORIGINAL_DST/216.58.194.98 <http://216.58.194.98> image/gif*
> *1467156895.664     82 10.40.40.100 TCP_MISS/200 649 GET
> https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808
> <https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808>?
> - ORIGINAL_DST/216.58.194.70 <http://216.58.194.70> image/gif*
> *1467156895.920    250 10.40.40.100 TAG_NONE/200 0 CONNECT
> 24.155.92.60:443 <http://24.155.92.60:443> - ORIGINAL_DST/24.155.92.60
> <http://24.155.92.60> -*
> *1467156896.061     79 10.40.40.100 TCP_MISS/200 503 GET
> https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630
> <https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630>
> - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60> image/gif*
> *1467156899.837   5727 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
> *1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
> connect.secure.wellsfargo.com:443
> <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
> <http://159.45.66.156> -*
> *1467156899.837   5679 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
> *1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
> connect.secure.wellsfargo.com:443
> <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
> <http://159.45.66.156> -*
> *1467156899.838   5680 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.66.156:443 <http://159.45.66.156:443> - HIER_NONE/- -*
> *1467156899.838   5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT
> connect.secure.wellsfargo.com:443
> <http://connect.secure.wellsfargo.com:443> - ORIGINAL_DST/159.45.66.156
> <http://159.45.66.156> -*
> *1467156900.836   5421 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*
> *1467156900.836   5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
> www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
> ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*
> *1467156900.837   5423 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.2.142:443 <http://159.45.2.142:443> - HIER_NONE/- -*
> *1467156900.837   5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT
> static.wellsfargo.com:443 <http://static.wellsfargo.com:443> -
> ORIGINAL_DST/159.45.2.142 <http://159.45.2.142> -*
> *1467156900.838   5423 10.40.40.100 TAG_NONE/200 0 CONNECT
> 159.45.170.145:443 <http://159.45.170.145:443> - HIER_NONE/- -*
> *1467156900.838   5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT
> www.wellsfargo.com:443 <http://www.wellsfargo.com:443> -
> ORIGINAL_DST/159.45.170.145 <http://159.45.170.145> -*
>
> If I disable sslbumping then the bank site does not get bumped, of course.
>
> 1467157349.321    230 10.40.40.100 TCP_MISS/301 243 GET
> http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 -
>
> Here is my squid.conf with bumping enabled.
>
> visible_hostname smoothwall
>
> # Uncomment the following to send debug info to /var/log/squid/cache.log
> #debug_options ALL,1 33,2 28,9
>
> # ACCESS CONTROLS
> # ----------------------------------------------------------------
> acl localhostgreen src 10.40.40.1
> acl localnetgreen src 10.40.40.0/24
> acl SWE_subnets          src
> "/var/smoothwall/mods/proxy/acls/src_subnets.acl"
>
> acl SSL_ports port 445 443 441 563
> acl Safe_ports port 80     # http
> acl Safe_ports port 81     # smoothwall http
> acl Safe_ports port 21     # ftp
> acl Safe_ports port 445 443 441 563 # https, snews
> acl Safe_ports port 70     # gopher
> acl Safe_ports port 210       # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280       # http-mgmt
> acl Safe_ports port 488       # gss-http
> acl Safe_ports port 591       # filemaker
> acl Safe_ports port 777       # multiling http
>
> acl CONNECT method CONNECT
>
> # TAG: http_access
> # ----------------------------------------------------------------
>
> http_access allow SWE_subnets
>
>
> http_access allow localhost
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow localnetgreen
> http_access allow CONNECT localnetgreen
>
> http_access allow localhostgreen
> http_access allow CONNECT localhostgreen
>
> # http_port and https_port
>
> #----------------------------------------------------------------------------
>
> # For forward-proxy port. Squid uses this port to serve error pages, ftp
> icons and communication with other proxies.
>
> #----------------------------------------------------------------------------
> http_port 3127
>
> http_port 10.40.40.1:800 intercept
> https_port 10.40.40.1:808 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
> sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression
> dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem
>
>
> http_port 127.0.0.1:800 intercept
>
> sslproxy_session_cache_size 4 MB
>
> ssl_bump none localhostgreen
>
> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
> sslproxy_cipher
> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
>
> acl tls_s1_connect at_step SslBump1
> acl tls_s2_client_hello at_step SslBump2
> acl tls_s3_server_hello at_step SslBump3
>
> acl tls_allowed_hsts ssl::server_name .akamaihd.net
> acl tls_server_is_bank ssl::server_name .wellsfargo.com
> acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank
>
> ssl_bump peek tls_s1_connect all
> ssl_bump splice tls_s2_client_hello tls_to_splice
> ssl_bump stare tls_s2_client_hello all
> ssl_bump bump tls_s3_server_hello all
>
> sslproxy_cert_error deny all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
> /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> http_access deny all
>
> cache_replacement_policy heap GDSF
> memory_replacement_policy heap GDSF
>
> # CACHE OPTIONS
> #
> ----------------------------------------------------------------------------
> cache_effective_user squid
> cache_effective_group squid
>
> cache_swap_high 100
> cache_swap_low 80
>
> cache_access_log stdio:/var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_mem 64 MB
>
> cache_dir aufs /var/spool/squid/cache 1024 16 256
>
> maximum_object_size 33 MB
>
> minimum_object_size 0 KB
>
>
> request_body_max_size 0 KB
>
> # OTHER OPTIONS
> #
> ----------------------------------------------------------------------------
> #via off
> forwarded_for off
>
> pid_filename /var/run/squid.pid
>
> shutdown_lifetime 10 seconds
> #icp_port 3130
>
> half_closed_clients off
>
> umask 022
>
> logfile_rotate 0
>
> strip_query_terms off
>
>
>
>
>
> On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 29/06/2016 2:02 a.m., Stanford Prescott wrote:
>> > I have the proper peek and splice and bump configuration of acls setup
>> in
>> > my squid.conf file for no-bump of some web sites. I need help how to
>> enter
>> > the banking hosts and or server names in a way that the peek and splice
>> > configuration will determine it is a banking site that I don't want
>> bumped.
>> >
>> > For example, if a user enters www.wellsfargo.com for online banking my
>> > current config still bumps wellsfargo.com. What would I need to enter
>> for
>> > wellsfargo.com so that banking server will not be bumped?
>> >
>>
>> Depends on what you mean by "enter".
>>
>> Are you asking for the ACL value?
>>   .wellfargo.com
>>
>> Are you asking for the ACL definition?
>>  acl banks ssl::server_name .wellsfargo.com
>>
>> Or are you asking for a whole SSL-Bump configuration example?
>>  <http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160628/1ef8c887/attachment-0001.html>


More information about the squid-users mailing list