[squid-users] intercepting tcp/443 purely for logging purposes

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 21 07:53:05 UTC 2016


On 21/03/2016 10:29 a.m., Jason Haar wrote:
> Hi there
> 
> I'm wanting to use tls intercept to just log (well OK, and potentially
> block) HTTPS sites based on hostnames (from SNI), but have had problems
> even in peek-and-splice mode. So I'm willing to compromise and instead just
> intercept that traffic, log it, block on IP addresses if need be, and don't
> use ssl-bump beyond that.
> 
> So far the following seems to work perfectly, can someone confirm this is
> "supported" - ie that I'm not relying on some bug that might get fixed
> later? ;-)
> 

It is supporteed.

> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
> 
> The "bug" comment comes down to how acl seems to work. I half-expected the
> above not to work - but it does. It would appear squid will treat an
> intercept's dst IP as the "dns name" as that's all it's got - so
> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
> IP addresses

This is because the ssl_bump rules are saying to splice immediately when
only the pseudo-CONNECT with an IP address is known.

If you use this:
 ssl_bump peek all
 ssl_bump splice all

it will peek at the client SNI and server public cert details before
dropping back to a transparent pass-tru. Then it will have that domain
and any other non-encrypted details available for logging.

Amos



More information about the squid-users mailing list