[squid-users] Squid 3.5.19 how to find banking server name for no bump

Eliezer Croitoru eliezer at ngtech.co.il
Wed Jun 29 07:57:10 UTC 2016 

Hey,

 

I have seen that you are using squid in intercept mode either on Linux or some BSD.

If there is a site\server that you don't want to enter squid at all you will need to bypass it in the FW\IPTABLES level.

In linux you would be able to use some ipset list that will be bypassed from being intercepted.

If you are interested reply and I will try to give you an example how to use it.

 

Eliezer

 

----

 <http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



 

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Stanford Prescott
Sent: Wednesday, June 29, 2016 2:56 AM
To: Amos Jeffries
Cc: squid-users
Subject: Re: [squid-users] Squid 3.5.19 how to find banking server name for no bump

 

I forgot to mention, I am using squid 3.5.19

 

On Tue, Jun 28, 2016 at 6:47 PM, Stanford Prescott <stan.prescott at gmail.com <mailto:stan.prescott at gmail.com> > wrote:

When I enter .wellsfargo.com <http://wellsfargo.com>  in

 

acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3

 

acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n

acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net> 

acl tls_server_is_bank ssl::server_name .wellsfargo.com <http://wellsfargo.com> 

acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

 

ssl_bump peek tls_s1_connect all

ssl_bump splice tls_s2_client_hello tls_to_splice

ssl_bump stare tls_s2_client_hello all

ssl_bump bump tls_s3_server_hello all

 

it appears that the banking site is still getting bumped i.e.like in this access.log snippet

 

1467156887.817    257 10.40.40.100 TAG_NONE/200 0 CONNECT 54.149.224.177:443 <http://54.149.224.177:443>  - ORIGINAL_DST/54.149.224.177 <http://54.149.224.177>  -

1467156888.008     94 10.40.40.100 TCP_MISS/200 213 POST https://tiles.services.mozilla.com/v2/links/view - ORIGINAL_DST/54.149.224.177 <http://54.149.224.177>  application/json

1467156893.774     75 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156893.847    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156893.875    120 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 <http://172.230.221.75:443>  - ORIGINAL_DST/172.230.221.75 <http://172.230.221.75>  -

1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 <http://172.230.221.75:443>  - ORIGINAL_DST/172.230.221.75 <http://172.230.221.75>  -

1467156893.875    117 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.221.75:443 <http://172.230.221.75:443>  - ORIGINAL_DST/172.230.221.75 <http://172.230.221.75>  -

1467156893.875    112 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156893.875    111 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156894.109    306 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156894.109    307 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156894.109    308 10.40.40.100 TAG_NONE/200 0 CONNECT 172.230.102.185:443 <http://172.230.102.185:443>  - ORIGINAL_DST/172.230.102.185 <http://172.230.102.185>  -

1467156895.488     72 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.98:443 <http://216.58.194.98:443>  - ORIGINAL_DST/216.58.194.98 <http://216.58.194.98>  -

1467156895.513     98 10.40.40.100 TAG_NONE/200 0 CONNECT 216.58.194.70:443 <http://216.58.194.70:443>  - ORIGINAL_DST/216.58.194.70 <http://216.58.194.70>  -

1467156895.648     66 10.40.40.100 TCP_MISS/302 739 GET https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0 <https://googleads.g.doubleclick.net/pagead/viewthroughconversion/974108101/?value=0&guid=ON&script=0&data.prod=&data.subprod=&data.pageid=> &guid=ON&script=0&data.prod=&data.subprod=&data.pageid= - ORIGINAL_DST/216.58.194.98 <http://216.58.194.98>  image/gif

1467156895.664     82 10.40.40.100 TCP_MISS/200 649 GET https://ad.doubleclick.net/activity;src=2549153;type=allv40;cat=all_a00;u1=11201507281102291611922021;ord=6472043235332.808? - ORIGINAL_DST/216.58.194.70 <http://216.58.194.70>  image/gif

1467156895.920    250 10.40.40.100 TAG_NONE/200 0 CONNECT 24.155.92.60:443 <http://24.155.92.60:443>  - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60>  -

1467156896.061     79 10.40.40.100 TCP_MISS/200 503 GET https://www.google.com/ads/user-lists/974108101/?script=0 <https://www.google.com/ads/user-lists/974108101/?script=0&random=2433874630> &random=2433874630 - ORIGINAL_DST/24.155.92.60 <http://24.155.92.60>  image/gif

1467156899.837   5727 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 <http://159.45.66.156:443>  - HIER_NONE/- -

1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 <http://connect.secure.wellsfargo.com:443>  - ORIGINAL_DST/159.45.66.156 <http://159.45.66.156>  -

1467156899.837   5679 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 <http://159.45.66.156:443>  - HIER_NONE/- -

1467156899.837   5587 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 <http://connect.secure.wellsfargo.com:443>  - ORIGINAL_DST/159.45.66.156 <http://159.45.66.156>  -

1467156899.838   5680 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.66.156:443 <http://159.45.66.156:443>  - HIER_NONE/- -

1467156899.838   5588 10.40.40.100 TCP_TUNNEL/200 165 CONNECT connect.secure.wellsfargo.com:443 <http://connect.secure.wellsfargo.com:443>  - ORIGINAL_DST/159.45.66.156 <http://159.45.66.156>  -

1467156900.836   5421 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.170.145:443 <http://159.45.170.145:443>  - HIER_NONE/- -

1467156900.836   5042 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT www.wellsfargo.com:443 <http://www.wellsfargo.com:443>  - ORIGINAL_DST/159.45.170.145 <http://159.45.170.145>  -

1467156900.837   5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.2.142:443 <http://159.45.2.142:443>  - HIER_NONE/- -

1467156900.837   5139 10.40.40.100 TCP_TUNNEL/200 4043 CONNECT static.wellsfargo.com:443 <http://static.wellsfargo.com:443>  - ORIGINAL_DST/159.45.2.142 <http://159.45.2.142>  -

1467156900.838   5423 10.40.40.100 TAG_NONE/200 0 CONNECT 159.45.170.145:443 <http://159.45.170.145:443>  - HIER_NONE/- -

1467156900.838   5088 10.40.40.100 TCP_TUNNEL/200 4631 CONNECT www.wellsfargo.com:443 <http://www.wellsfargo.com:443>  - ORIGINAL_DST/159.45.170.145 <http://159.45.170.145>  -

 

If I disable sslbumping then the bank site does not get bumped, of course.

 

1467157349.321    230 10.40.40.100 TCP_MISS/301 243 GET http://wellsfargo.com/ - ORIGINAL_DST/159.45.66.143 <http://159.45.66.143>  -

 

Here is my squid.conf with bumping enabled.

 

visible_hostname smoothwall

 

# Uncomment the following to send debug info to /var/log/squid/cache.log

#debug_options ALL,1 33,2 28,9

 

# ACCESS CONTROLS

# ----------------------------------------------------------------

acl localhostgreen src 10.40.40.1

acl localnetgreen src 10.40.40.0/24 <http://10.40.40.0/24> 

acl SWE_subnets          src "/var/smoothwall/mods/proxy/acls/src_subnets.acl"

 

acl SSL_ports port 445 443 441 563

acl Safe_ports port 80     # http

acl Safe_ports port 81     # smoothwall http

acl Safe_ports port 21     # ftp 

acl Safe_ports port 445 443 441 563 # https, snews

acl Safe_ports port 70     # gopher

acl Safe_ports port 210       # wais  

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280       # http-mgmt

acl Safe_ports port 488       # gss-http 

acl Safe_ports port 591       # filemaker

acl Safe_ports port 777       # multiling http

 

acl CONNECT method CONNECT

 

# TAG: http_access

# ----------------------------------------------------------------

 

http_access allow SWE_subnets

 

 

http_access allow localhost

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

 

http_access allow localnetgreen

http_access allow CONNECT localnetgreen

 

http_access allow localhostgreen

http_access allow CONNECT localhostgreen

 

# http_port and https_port

#----------------------------------------------------------------------------

 

# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.

#----------------------------------------------------------------------------

http_port 3127

 

http_port 10.40.40.1:800 <http://10.40.40.1:800>  intercept

https_port 10.40.40.1:808 <http://10.40.40.1:808>  intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem

 

 

http_port 127.0.0.1:800 <http://127.0.0.1:800>  intercept

 

sslproxy_session_cache_size 4 MB

 

ssl_bump none localhostgreen

 

sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression

sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

 

acl tls_s1_connect at_step SslBump1

acl tls_s2_client_hello at_step SslBump2

acl tls_s3_server_hello at_step SslBump3

 

acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net> 

acl tls_server_is_bank ssl::server_name .wellsfargo.com <http://wellsfargo.com> 

acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

 

ssl_bump peek tls_s1_connect all

ssl_bump splice tls_s2_client_hello tls_to_splice

ssl_bump stare tls_s2_client_hello all

ssl_bump bump tls_s3_server_hello all

 

sslproxy_cert_error deny all

sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB

sslcrtd_children 5

 

http_access deny all

 

cache_replacement_policy heap GDSF

memory_replacement_policy heap GDSF

 

# CACHE OPTIONS

# ----------------------------------------------------------------------------

cache_effective_user squid

cache_effective_group squid

 

cache_swap_high 100

cache_swap_low 80

 

cache_access_log stdio:/var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_mem 64 MB

 

cache_dir aufs /var/spool/squid/cache 1024 16 256

 

maximum_object_size 33 MB

 

minimum_object_size 0 KB

 

 

request_body_max_size 0 KB

 

# OTHER OPTIONS

# ----------------------------------------------------------------------------

#via off

forwarded_for off

 

pid_filename /var/run/squid.pid

 

shutdown_lifetime 10 seconds

#icp_port 3130

 

half_closed_clients off

 

umask 022

 

logfile_rotate 0

 

strip_query_terms off

 

 

 

 

 

On Tue, Jun 28, 2016 at 9:56 AM, Amos Jeffries <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz> > wrote:

On 29/06/2016 2:02 a.m., Stanford Prescott wrote:
> I have the proper peek and splice and bump configuration of acls setup in
> my squid.conf file for no-bump of some web sites. I need help how to enter
> the banking hosts and or server names in a way that the peek and splice
> configuration will determine it is a banking site that I don't want bumped.
>
> For example, if a user enters www.wellsfargo.com <http://www.wellsfargo.com>  for online banking my
> current config still bumps wellsfargo.com <http://wellsfargo.com> . What would I need to enter for
> wellsfargo.com <http://wellsfargo.com>  so that banking server will not be bumped?
>

Depends on what you mean by "enter".

Are you asking for the ACL value?
  .wellfargo.com <http://wellfargo.com> 

Are you asking for the ACL definition?
 acl banks ssl::server_name .wellsfargo.com <http://wellsfargo.com> 

Or are you asking for a whole SSL-Bump configuration example?
 <http://wiki.squid-cache.org/Features/SslPeekAndSplice> has a few.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org> 
http://lists.squid-cache.org/listinfo/squid-users

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160629/95e1c75d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160629/95e1c75d/attachment-0001.png>

More information about the squid-users mailing list