[squid-users] intercepting tcp/443 purely for logging purposes

Vito A. Smaldino vitoantonio.smaldino at istruzione.it
Mon Mar 21 20:14:34 UTC 2016


Many thanks, ASAP i will try.

V

2016-03-21 20:01 GMT+01:00 Jason Haar <jason_haar at trimble.com>:

> It's really not much more than what I first posted (I can't send my config
> - it's pretty specific to our site - you'll have to figure out the standard
> stuff yourself)
>
> So this will make a squid-3.5 server capable of doing "transparent HTTPS"
> without any fiddling with the transactions. Of course it assumes you
> already know how to redirect port 443 traffic onto your proxy, and know how
> to reconfigure the OS to support that too (ie same as transparent HTTP on
> port 80)
>
> acl BlacklistedHTTPSsites dstdomain
> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
> http_access deny BlacklistedHTTPSsites
> https_port 3127 intercept ssl-bump cert=/etc/squid/squid-CA.cert
>  cafile=/etc/squid/ca-bundle.crt generate-host-certificates=on
> dynamic_cert_mem_cache_size=256MB options=ALL
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 256MB
> sslcrtd_children 32 startup=15 idle=5
> acl SSL_https port 443
> ssl_bump splice SSL_https
>
>
> On Tue, Mar 22, 2016 at 12:05 AM, Vito A. Smaldino <
> vitoantonio.smaldino at istruzione.it> wrote:
>
>> Hi all,
>> great, i'm just searching for this. Jason can you kindly post the whole
>> squid.conf?
>> Thanks
>> V
>>
>> 2016-03-20 22:29 GMT+01:00 Jason Haar <jason_haar at trimble.com>:
>>
>>> Hi there
>>>
>>> I'm wanting to use tls intercept to just log (well OK, and potentially
>>> block) HTTPS sites based on hostnames (from SNI), but have had problems
>>> even in peek-and-splice mode. So I'm willing to compromise and instead just
>>> intercept that traffic, log it, block on IP addresses if need be, and don't
>>> use ssl-bump beyond that.
>>>
>>> So far the following seems to work perfectly, can someone confirm this
>>> is "supported" - ie that I'm not relying on some bug that might get fixed
>>> later? ;-)
>>>
>>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M
>>> 256MB
>>> sslcrtd_children 32 startup=15 idle=5
>>> acl SSL_https port 443
>>> ssl_bump splice SSL_https
>>> acl BlacklistedHTTPSsites dstdomain
>>> "/etc/squid/acl-BlacklistedHTTPSsites.txt"
>>> http_access deny BlacklistedHTTPSsites
>>>
>>> The "bug" comment comes down to how acl seems to work. I half-expected
>>> the above not to work - but it does. It would appear squid will treat an
>>> intercept's dst IP as the "dns name" as that's all it's got - so
>>> "dstdomain" works fine for both CONNECT and intercept IFF the acl contains
>>> IP addresses
>>>
>>> I was hoping I wouldn't need ssl-bump at all, but you need squid to be
>>> running a https_port, and for it to support "intercept", and to do that
>>> squid insists on "ssl-bump" too - although that seems likely was a
>>> programmer assumption that didn't include people like me doing mad things
>>> like this? :-). I'd also guess I don't need 32 children/etc  - 1 would
>>> suffice as it's never used?
>>>
>>> So the end result is that all CONNECT and/or intercept SSL/TLS traffic
>>> is supported via the proxy, with all TLS security decisions residing on the
>>> client. I get my logs, and if I want to block some known bad IP address, I
>>> can: CONNECT causes a 403 HTTP error page and intercept basically ditches
>>> the tcp/443 connection - which is as good as it gets without getting into
>>> the wonderful world of real "bump"
>>>
>>> --
>>> Cheers
>>>
>>> Jason Haar
>>> Information Security Manager, Trimble Navigation Ltd.
>>> Phone: +1 408 481 8171
>>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> --
>>> Vito A. Smaldino
>>>
>>> <http://lists.squid-cache.org/listinfo/squid-users>
>>
>>
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> --
> Vito A. Smaldino
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160321/08d4813b/attachment.html>


More information about the squid-users mailing list