[squid-users] intercepting tcp/443 purely for logging purposes

Mon Mar 21 19:01:00 UTC 2016

It's really not much more than what I first posted (I can't send my config
- it's pretty specific to our site - you'll have to figure out the standard
stuff yourself)

So this will make a squid-3.5 server capable of doing "transparent HTTPS"
without any fiddling with the transactions. Of course it assumes you
already know how to redirect port 443 traffic onto your proxy, and know how
to reconfigure the OS to support that too (ie same as transparent HTTP on
port 80)

acl BlacklistedHTTPSsites dstdomain
"/etc/squid/acl-BlacklistedHTTPSsites.txt"
http_access deny BlacklistedHTTPSsites
https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert
 cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
sslcrtd_children 32 startup=15 idle=5
acl SSL_https port 443
ssl_bump splice SSL_https

On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <
vitoantonio.smaldino at istruzione.it> wrote:

> Hi all,
> great, i'm just searching for this. Jason can you kindly post the whole
> squid.conf?
> Thanks
> V
>
> 2016-03-20 22:29 GMT+01:00 Jason Haar <jason_haar at trimble.com>:
>
>> Hi there
>>
>> I'm wanting to use tls intercept to just log (well OK, and potentially
>> block) HTTPS sites based on hostnames (from SNI), but have had problems
>> even in peek-and-splice mode. So I'm willing to compromise and instead just
>> intercept that traffic, log it, block on IP addresses if need be, and don't
>> use ssl-bump beyond that.
>>
>> So far the following seems to work perfectly, can someone confirm this is
>> "supported" - ie that I'm not relying on some bug that might get fixed
>> later? ;-)
>>
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
>> 256MB
>> sslcrtd_children 32 startup=15 idle=5
>> acl SSL_https port 443
>> ssl_bump splice SSL_https
>> acl BlacklistedHTTPSsites dstdomain
>> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
>> http_access deny BlacklistedHTTPSsites
>>
>> The "bug" comment comes down to how acl seems to work. I half-expected
>> the above not to work - but it does. It would appear squid will treat an
>> intercept's dst IP as the "dns name" as that's all it's got - so
>> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
>> IP addresses
>>
>> I was hoping I wouldn't need ssl-bump at all, but you need squid to be
>> running a https_port, and for it to support "intercept", and to do that
>> squid insists on "ssl-bump" too - although that seems likely was a
>> programmer assumption that didn't include people like me doing mad things
>> like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
>> suffice as it's never used?
>>
>> So the end result is that all CONNECT and/or intercept SSL/TLS traffic is
>> supported via the proxy, with all TLS security decisions residing on the
>> client. I get my logs, and if I want to block some known bad IP address, I
>> can: CONNECT causes a 403 HTTP error page and intercept basically ditches
>> the tcp/443 connection - which is as good as it gets without getting into
>> the wonderful world of real "bump"
>>
>> --
>> Cheers
>>
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +1 408 481 8171
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> --
>> Vito A. Smaldino
>>
>> <http://lists.squid-cache.org/listinfo/squid-users>
>
>

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160322/cd85baf4/attachment.html>